[Samba] inconsistend ID mapping with rid backend and ctdb
Jochen Korge || PCSM GmbH
Jochen.Korge at pcsm.de
Thu Feb 24 20:18:01 UTC 2022
Thanks for the quick reply.
I made the change regarding the netbios name yesterday. We got all IDs in the RID range. Today several "moved back" to the tdb range.
Do I have to drop the tdb database? And if so, ctdb getdbmap shows several possible databases.
We joined a Domain with 2008 Schema and unfortunately we do have some Windows XP Clients we can not update or replace.
Enum was for debugging purpose.
Mit freundlichen Grüßen / best regards,
Mobil +49 711 28695277
Crailsheimerstrasse 15, 70435, Stuttgart
Tel. +49 711 230 44 96
Fax +49 711 230 44 97
Geschäftsführer: Thomas Martin | Sitz der Gesellschaft: Stuttgart
Amtsgericht Stuttgart HRB-Nr.: 733394 / USt.-Idnr.: DE815181359
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba
Gesendet: Donnerstag, 24. Februar 2022 20:58
An: samba at lists.samba.org
Betreff: Re: [Samba] inconsistend ID mapping with rid backend and ctdb
On Thu, 2022-02-24 at 19:28 +0000, Jochen Korge || PCSM GmbH via samba
> Error verifying signature: parse error Hi,
> we realized some permission-Issues (Some users were unable to change
> or write files and folders, read-permissions seemed to work as
> After some investigation we encounter "flapping" UID/GID mappings
> between the configured RID and TDB ranges.
> E.g. the group "domain-users" flaps between 3008 and 1000513, an
> Admin-User Account flaps between 3097 and 1001103.
> After startup it seems to take ids in the higher (rid) range and after
> some hours it swaps to the lower (tdb) range.
> The really strange part is, that the different gids were shown at the
> same time on the three servers.
> When I restart only one machine, it shows IDs in the 1m range, while
> the other 2 stay at 3k.
> Within a machine, getent and wbinfo stay consistent, between machines
> (even ctdb status shows healthy cluster) the results are sometimes
> Only strange behavior (apart from changing IDs) I found:
> wbinfo -s SomeSID
> Wbinfo -lookup-sids SomeSID
> SomeSID -> <none>\username
> What might have caused that havoc:
> I changed (after the problems emerged)
> idmap config OUR.DOMAIN.FQDN
That was incorrect
> idmap config OURDOMAIN
That is correct
> Our Setup consists of 3 Machines running Samba 4.13.13 (Debian
> Bullseye) with CTDB as Member Servers and vfs_ceph backend. Clients
> are 100% Windows (from XP to 11) and users are all from the Domain.
> AD-side is one Windows 2019 DC holding all FSMO roles behind a
> Firewall, 2 Samba-ADDCs serving the clients and CTDB-cluster.
How have you joined a Samba DC to a 2019 domain ?
> Relevant testparm output (consistent between machines):
> clustering = Yes
> kerberos method = secrets and keytab
> netbios aliases = OURNASHA OURNAS01 OURNAS02 OURNAS03
> netbios name = OURNASHA
> realm = OUR.DOMAIN.FQDN
> registry shares = Yes
> security = ADS
> server min protocol = NT1
Why use SMBv1 ? does something rely on it.
> server role = member server
> winbind enum groups = Yes
> winbind enum users = Yes
You can remove the 'enum' lines, you do not need them.
> winbind expand groups = 4
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = OURDOMAIN
> smbd: backgroundqueue = no
> idmap config OURDOMAIN : range = 1000000-1999999
> idmap config OURDOMAIN : backend = rid
You should get constant numbers now and that should include Domain Users, which should get '1000513'
> idmap config * : range = 3000-7999
> ctdb:registry.tdb = yes
> idmap config * : backend = tdb
> admin users = @domänen-admins @sudo
> hide unreadable = Yes
> kernel share modes = No
> map acl inherit = Yes
> path = /share1/
> read only = No
> vfs objects = acl_xattr ceph_snapshots ceph
> acl_xattr:ignore system acls = yes
> ceph: user_id = samba.gw
> ceph: config_file = /etc/ceph/ceph.conf
To unsubscribe from this list go to the following URL and read the
More information about the samba