[Samba] strange troubles in idmapping

Bartłomiej Solarz-Niesłuchowski Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Sat Apr 22 06:24:14 UTC 2023 

Dear List

suddenly I have problem in my AD SAMBA server (rfc2307 in use, 20k+ 
users, 15+ years samba usage)...

some users have wrong id_map.

good:

root at themes:/var/lib/samba/private# wbinfo -n XXXXXXd0
S-1-5-21-3156691614-3416019035-1284015310-128614 SID_USER (1)
root at themes:/var/lib/samba/private# wbinfo -S 
S-1-5-21-3156691614-3416019035-1284015310-128614
32845

bad:

root at themes:/var/lib/samba/private# wbinfo -n YYYYYYe
S-1-5-21-3156691614-3416019035-1284015310-127088 SID_USER (1)
root at themes:/var/lib/samba/private# wbinfo -S 
S-1-5-21-3156691614-3416019035-1284015310-127088
3001681

WHY this was happens?


user YYYYYYe exist in idmap (user XXXXXXd0 not exist in idmap)

root at themes:/var/lib/samba/private/sam.ldb.d# ldbsearch -H 
/var/lib/samba/private/idmap.ldb 
CN=S-1-5-21-3156691614-3416019035-1284015310-127088
# record 1
dn: CN=S-1-5-21-3156691614-3416019035-1284015310-127088
cn: S-1-5-21-3156691614-3416019035-1284015310-127088
objectClass: sidMap
objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088
type: ID_TYPE_BOTH
xidNumber: 3001681
distinguishedName: CN=S-1-5-21-3156691614-3416019035-1284015310-127088

# returned 1 records
# 1 entries
# 0 referrals

but even//I delete those record from /var/lib/samba/private/idmap.ldb it 
will be recreated with new id -> so somewhat instead of using


Best Regards

PS-some infos:

root at themes:/var/lib/samba/private/sam.ldb.d# samba -V
Version 4.15.13-Ubuntu

(van belle ad version)


I use rfc2307 extension:

[global]
         realm = AD.WSISIZ.EDU.PL
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = WSISIZ.EDU.PL
         idmap_ldb:use rfc2307 = yes
         dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
         wins server =  213.135.44.33
         ntlm auth = mschapv2-and-ntlmv2-only
         min domain uid = 0
         tls enabled  = yes
         tls keyfile  = tls/key.pem
         tls certfile = tls/cert.pem
         tls cafile   =

user which works:

root at themes:/var/lib/samba/private# samba-tool user show XXXXXXd0
dn: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: XXXXXXd0
instanceType: 4
whenCreated: 20230316125223.0Z
uSNCreated: 158183212
name: XXXXXXd0
objectGUID: 9d01ecf4-f5b6-422e-90ed-febc81fca2f8
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\oceanic\XXXXXXd0
homeDrive: Z:
badPasswordTime: 0
lastLogoff: 0
scriptPath: login.bat
primaryGroupID: 513
profilePath: \\oceanic\XXXXXXd0\profile
objectSid: S-1-5-21-3156691614-3416019035-1284015310-128614
accountExpires: 9223372036854775807
sAMAccountName: XXXXXXd0
sAMAccountType: 805306368
userPrincipalName: XXXXXXd0 at ad.wsisiz.edu.pl
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl
mail: XXXXXXd0 at wit.edu.pl
uidNumber: 32845
gecos: Temporary User
loginShell: /bin/bash
msSFU30NisDomain: wsisiz.edu.pl
msSFU30Name: XXXXXXd0
unixUserPassword: ABCD!efgh12345$67890
userAccountControl: 512
gidNumber: 101
unixHomeDirectory: /home/staff/XXXXXXd0
displayName: Daniel XXXXXXak
description: Daniel XXXXXXak
memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
pwdLastSet: 133234629994492940
lastLogonTimestamp: 133261378445031020
whenChanged: 20230416165724.0Z
uSNChanged: 161980087
lastLogon: 133264880809991990
logonCount: 174
distinguishedName: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl

user which does not work:

root at themes:/var/lib/samba/private# samba-tool user show YYYYYYe
dn: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: YYYYYYe
instanceType: 4
whenCreated: 20220601202617.0Z
uSNCreated: 117943020
name: YYYYYYe
objectGUID: 896ceb98-04cc-45de-b1c5-5f51e5711c83
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\oceanic\YYYYYYe
homeDrive: Z:
badPasswordTime: 0
lastLogoff: 0
scriptPath: login.bat
primaryGroupID: 513
profilePath: \\oceanic\YYYYYYe\profile
objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088
accountExpires: 9223372036854775807
sAMAccountName: YYYYYYe
sAMAccountType: 805306368
userPrincipalName: YYYYYYe at ad.wsisiz.edu.pl
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl
mail: YYYYYYe at wit.edu.pl
uidNumber: 31667
gidNumber: 100
gecos: Temporary User
loginShell: /bin/bash
msSFU30NisDomain: wsisiz.edu.pl
msSFU30Name: YYYYYYe
unixUserPassword: ABCD!efgh12345$67890
userAccountControl: 512
unixHomeDirectory: /home/2022/gr/YYYYYYe
displayName: Erwin YYYYYY
description: Erwin YYYYYY
memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
memberOf: CN=windows-admini,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
pwdLastSet: 133185514481333840
lastLogonTimestamp: 133260130599284170
whenChanged: 20230415061739.0Z
uSNChanged: 161920835
lastLogon: 133260378126465240
logonCount: 195
distinguishedName: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl


-- 
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail:Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
MSTEAMS:solarz at office.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz

More information about the samba mailing list