[Samba] strange troubles in idmapping

Rowland Penny rpenny at samba.org
Sat Apr 22 08:55:25 UTC 2023 


On 22/04/2023 07:24, Bartłomiej Solarz-Niesłuchowski via samba wrote:
> Dear List
> 
> suddenly I have problem in my AD SAMBA server (rfc2307 in use, 20k+ 
> users, 15+ years samba usage)...
> 
> some users have wrong id_map.
> 
> good:
> 
> root at themes:/var/lib/samba/private# wbinfo -n XXXXXXd0
> S-1-5-21-3156691614-3416019035-1284015310-128614 SID_USER (1)
> root at themes:/var/lib/samba/private# wbinfo -S 
> S-1-5-21-3156691614-3416019035-1284015310-128614
> 32845
> 
> bad:
> 
> root at themes:/var/lib/samba/private# wbinfo -n YYYYYYe
> S-1-5-21-3156691614-3416019035-1284015310-127088 SID_USER (1)
> root at themes:/var/lib/samba/private# wbinfo -S 
> S-1-5-21-3156691614-3416019035-1284015310-127088
> 3001681
> 
> WHY this was happens?

I have no idea, it shouldn't.

> 
> 
> user YYYYYYe exist in idmap (user XXXXXXd0 not exist in idmap)

It shouldn't matter if they are in idmap.ldb or not.

> 
> root at themes:/var/lib/samba/private/sam.ldb.d# ldbsearch -H 
> /var/lib/samba/private/idmap.ldb 
> CN=S-1-5-21-3156691614-3416019035-1284015310-127088
> # record 1
> dn: CN=S-1-5-21-3156691614-3416019035-1284015310-127088
> cn: S-1-5-21-3156691614-3416019035-1284015310-127088
> objectClass: sidMap
> objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088
> type: ID_TYPE_BOTH
> xidNumber: 3001681
> distinguishedName: CN=S-1-5-21-3156691614-3416019035-1284015310-127088
> 
> # returned 1 records
> # 1 entries
> # 0 referrals
> 
> but even//I delete those record from /var/lib/samba/private/idmap.ldb it 
> will be recreated with new id -> so somewhat instead of using
> 
> 
> Best Regards
> 
> PS-some infos:
> 
> root at themes:/var/lib/samba/private/sam.ldb.d# samba -V
> Version 4.15.13-Ubuntu
> 
> (van belle ad version)

You really need to upgrade Samba, Have a search on this list, Michael 
the Debian Samba maintainer is supplying Ubuntu Samba packages.

> 
> 
> I use rfc2307 extension:
> 
> [global]
>          realm = AD.WSISIZ.EDU.PL
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate

Not that it can be relevant, but you appear to be using Bind9 for the 
dns server.

>          workgroup = WSISIZ.EDU.PL

Why does your workgroup have dots in it ?
Also why is the opposite to every recommendation, which is to use the 
left hand part of the realm, which in your case would be 'AD' ?

>          idmap_ldb:use rfc2307 = yes

That line means: use any uidNumber and gidNumber attributes in AD and 
ignore the xidNumber attributes in idmap.ldb. This is where the problem 
sets in it, your DC doesn't seem to be doing this.

>          dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>          wins server =  213.135.44.33

Why do you have 'wins server' set, AD does not use wins, it uses dns.

>          ntlm auth = mschapv2-and-ntlmv2-only
>          min domain uid = 0
>          tls enabled  = yes
>          tls keyfile  = tls/key.pem
>          tls certfile = tls/cert.pem
>          tls cafile   =
> 

I have the feeling that the smb.conf continues here with shares (over 
and above the netlogon & sysvol shares), you do know that this is not 
recommended.

> user which works:
> 
> root at themes:/var/lib/samba/private# samba-tool user show XXXXXXd0
> dn: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: XXXXXXd0
> instanceType: 4
> whenCreated: 20230316125223.0Z
> uSNCreated: 158183212
> name: XXXXXXd0
> objectGUID: 9d01ecf4-f5b6-422e-90ed-febc81fca2f8
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> homeDirectory: \\oceanic\XXXXXXd0
> homeDrive: Z:
> badPasswordTime: 0
> lastLogoff: 0
> scriptPath: login.bat
> primaryGroupID: 513
> profilePath: \\oceanic\XXXXXXd0\profile
> objectSid: S-1-5-21-3156691614-3416019035-1284015310-128614
> accountExpires: 9223372036854775807
> sAMAccountName: XXXXXXd0
> sAMAccountType: 805306368
> userPrincipalName: XXXXXXd0 at ad.wsisiz.edu.pl
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl
> mail: XXXXXXd0 at wit.edu.pl
> uidNumber: 32845
> gecos: Temporary User
> loginShell: /bin/bash
> msSFU30NisDomain: wsisiz.edu.pl
> msSFU30Name: XXXXXXd0
> unixUserPassword: ABCD!efgh12345$67890
> userAccountControl: 512
> gidNumber: 101
> unixHomeDirectory: /home/staff/XXXXXXd0
> displayName: Daniel XXXXXXak
> description: Daniel XXXXXXak
> memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> pwdLastSet: 133234629994492940
> lastLogonTimestamp: 133261378445031020
> whenChanged: 20230416165724.0Z
> uSNChanged: 161980087
> lastLogon: 133264880809991990
> logonCount: 174
> distinguishedName: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> 
> user which does not work:
> 
> root at themes:/var/lib/samba/private# samba-tool user show YYYYYYe
> dn: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: YYYYYYe
> instanceType: 4
> whenCreated: 20220601202617.0Z
> uSNCreated: 117943020
> name: YYYYYYe
> objectGUID: 896ceb98-04cc-45de-b1c5-5f51e5711c83
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> homeDirectory: \\oceanic\YYYYYYe
> homeDrive: Z:
> badPasswordTime: 0
> lastLogoff: 0
> scriptPath: login.bat
> primaryGroupID: 513
> profilePath: \\oceanic\YYYYYYe\profile
> objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088
> accountExpires: 9223372036854775807
> sAMAccountName: YYYYYYe
> sAMAccountType: 805306368
> userPrincipalName: YYYYYYe at ad.wsisiz.edu.pl
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl
> mail: YYYYYYe at wit.edu.pl
> uidNumber: 31667
> gidNumber: 100
> gecos: Temporary User
> loginShell: /bin/bash
> msSFU30NisDomain: wsisiz.edu.pl
> msSFU30Name: YYYYYYe
> unixUserPassword: ABCD!efgh12345$67890
> userAccountControl: 512
> unixHomeDirectory: /home/2022/gr/YYYYYYe
> displayName: Erwin YYYYYY
> description: Erwin YYYYYY
> memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> memberOf: CN=windows-admini,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> pwdLastSet: 133185514481333840
> lastLogonTimestamp: 133260130599284170
> whenChanged: 20230415061739.0Z
> uSNChanged: 161920835
> lastLogon: 133260378126465240
> logonCount: 195
> distinguishedName: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl
> 
> 

I can see no reason why your problem is occurring, not from the 
information provided. I suggest you set 'log level = 10' and see if 
anything pops up in the logs.

Rowland

More information about the samba mailing list