[Samba] inconsistend ID mapping with rid backend and ctdb

Jochen Korge || PCSM GmbH Jochen.Korge at pcsm.de
Fri Feb 25 12:46:17 UTC 2022


After further Investigation I found two ways to consistently trigger the GID-Change:

"sudo smbstatus":
jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513
1000513
jochen at srvnas02:~$ sudo smbstatus
....
jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513
3008

"wbinfo -G 3008":
jochen at srvnas02:~$ wbinfo -G 1000513
S-1-5-21-XXXX-XXXX-XXXX-513
jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513
1000513
jochen at srvnas02:~$ wbinfo -G 3008 <-- does change the GID
S-1-5-21-XXXX-XXXX-XXXX-513
jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513
3008
jochen at srvnas02:~$ wbinfo -G 1000513 <-- does NOT change it back
S-1-5-21-XXXX-XXXX-XXXX-513
jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513
3008

With "wbinfo -G or -U" I can trigger the change for each existing group/user.
Smbstatus "only" changes the "domain user" gid.

"net cache flush" resets it, but unfortunately it does not stick.

What still triggers me is the "<none>" Domain in lookup-sids (happens to all users/groups)
jochen at srvnas02:~$ wbinfo --lookup-sids S-1-5-21- XXXX-XXXX-XXXX -513
S-1-5-21- XXXX-XXXX-XXXX -513 -> <none>\Domänen-Benutzer 2
though
jochen at srvnas02:~$ wbinfo -s S-1-5-21- XXXX-XXXX-XXXX -513
OURDOMAIN\Domänen-Benutzer 2
Works as expected.



Mit freundlichen Grüßen / best regards,
Jochen Korge
Mobil +49 711 28695277

PCSM GmbH
Crailsheimerstrasse 15, 70435, Stuttgart
Tel.  +49 711 230 44 96
Fax  +49 711 230 44 97
Geschäftsführer: Thomas Martin | Sitz der Gesellschaft: Stuttgart
Amtsgericht Stuttgart HRB-Nr.: 733394 / USt.-Idnr.: DE815181359



-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Jochen Korge || PCSM GmbH via samba
Gesendet: Freitag, 25. Februar 2022 08:42
An: Rowland Penny <rpenny at samba.org>; sambalist <samba at lists.samba.org>
Betreff: Re: [Samba] inconsistend ID mapping with rid backend and ctdb

Unfortunatly it did not fix it.
After "net cache flush" and a restart everything seemed ok.
Overnight the Group jumped back to 3008 and access was denied again. We didn't monitor it though, so we do not know when it happened exactly.
It seems like it always starts on the RID-Range and then after some time "falls down" to the tdb range.
getent passwd showed 1000513 yesterday as primary gid and today all users changed to 3008.
This one group is only the most prominent, it happens to other groups and a few users as well.




Mit freundlichen Grüßen / best regards,
Jochen Korge
Mobil +49 711 28695277

PCSM GmbH
Crailsheimerstrasse 15, 70435, Stuttgart Tel.  +49 711 230 44 96 Fax  +49 711 230 44 97
Geschäftsführer: Thomas Martin | Sitz der Gesellschaft: Stuttgart Amtsgericht Stuttgart HRB-Nr.: 733394 / USt.-Idnr.: DE815181359



-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba
Gesendet: Donnerstag, 24. Februar 2022 21:40
An: sambalist <samba at lists.samba.org>
Betreff: Re: [Samba] inconsistend ID mapping with rid backend and ctdb

On Thu, 2022-02-24 at 20:18 +0000, Jochen Korge || PCSM GmbH wrote:
> Thanks for the quick reply.
>
> I made the change regarding the netbios name yesterday. We got all IDs 
> in the RID range. Today several "moved back" to the tdb range.
> Do I have to drop the tdb database? And if so, ctdb getdbmap shows 
> several possible databases.

Try running 'net cache flush' on all cluster members, this should flush the authentication database on each member.

>
> We joined a Domain with 2008 Schema and unfortunately we do have some 
> Windows XP Clients we can not update or replace.

Ah, so the 2019 DC is still using the 2008 schema, I wasn't aware this was allowed.

> Enum was for debugging purpose.

That is all they are fit for.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list