[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Rowland Penny
rpenny at samba.org
Mon Sep 4 20:26:06 UTC 2023
On Mon, 4 Sep 2023 22:09:35 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Hi Team,
>
>
> I am setting up a new AD-domain, the first DC is just operational and
> some users and groups are created.
>
> This run on Debian 11, Samba 4.18.6 and it is set up with the same
> (but evolved) Ansible code I used for my other domains (all of them
> on different networks and independent of each other). The older
> domains were initially set up with Samba 4.14 and another with 4.15
> and upgraded many times since, the new setup with 4.18.6. In all
> places gets installed from the same debian packages.
>
> Due to the repeatable Ansible setup the /etc/samba/smb.conf is
> exactly the same (apart from the domain name etc.) on the existing
> domains and the new domain. And all domains were provisioned with
> '--use-rfc2307'.
>
> 'samba-tool processes | wc -l' is equal between old and new: 24
> lines. And ps aux | grep winbindd also shows an equal number of
> winbind processes.
>
> '/etc/nsswitch.conf' is also equal and includes winbind for passwd
> and group.
>
>
> Now the mystery starts: there is a difference in id (uid/gid) lookups
> on a DC between the older domains and the new domain.
>
> It looks like the new domain is not querying
> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas
> the older once are.
>
> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins'
>
> On the old domain(s) this results (as expected) in:
>
> OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash
>
> But on the new domain the lookup has no result.
>
> The winbind logging is equally different, on the old domain (success):
>
> [2023/09/04 20:55:56.243929, 3]
> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> winbindd_interface_version: [nss_winbind (2502996)]: request
> interface version (version = 32)
> [2023/09/04 20:55:56.243999, 3]
> ../../source3/winbindd/winbindd.c:497(process_request_send)
> process_request_send: [nss_winbind (2502996)] Handling async
> request: GETPWNAM
> [2023/09/04 20:55:56.244007, 3]
> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
> [nss_winbind (2502996)] Winbind external command GETPWNAM start.
> Query username 'OLDDOM\domain admins'.
> [2023/09/04 20:55:56.244312, 3]
> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv)
> Winbind external command GETPWNAM end.
> (name:passwd:uid:gid:gecos:dir:shell)
> OLDDOM\domain admins:*:3000004:3000004::/home/domain
> admins:/bin/bash [2023/09/04 20:55:56.244322, 3]
> ../../source3/winbindd/winbindd.c:564(process_request_done)
> process_request_done: [nss_winbind(2502996):GETPWNAM]: NT_STATUS_OK
> [2023/09/04 20:55:57.091601, 3]
> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> winbindd_interface_version: [nss_winbind (2502997)]: request
> interface version (version = 32)
> [2023/09/04 20:55:57.091800, 3]
> ../../source3/winbindd/winbindd.c:497(process_request_send)
> process_request_send: [nss_winbind (2502997)] Handling async
> request: GETGROUPS
> [2023/09/04 20:55:57.091817, 3]
> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send)
> [nss_winbind (2502997)] Winbind external command GETGROUPS start.
> Searching groups for username 'root'.
> [2023/09/04 20:55:57.093936, 3]
> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached)
> : lookup_usergroups_cached
> [2023/09/04 20:55:57.106212, 3]
> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv)
> Winbind external command GETGROUPS end.
> Received 2 entries.
> [2023/09/04 20:55:57.106337, 3]
> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
> 0: GID 10000
> [2023/09/04 20:55:57.106344, 3]
> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv)
> 1: GID 10019
> [2023/09/04 20:55:57.106350, 3]
> ../../source3/winbindd/winbindd.c:564(process_request_done)
> process_request_done: [nss_winbind(2502997):GETGROUPS]:
> NT_STATUS_OK
>
> On the new domain (no result):
>
> [2023/09/04 20:54:18.579629, 3]
> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version)
> winbindd_interface_version: [nss_winbind (43590)]: request
> interface version (version = 32)
> [2023/09/04 20:54:18.579686, 3]
> ../../source3/winbindd/winbindd.c:497(process_request_send)
> process_request_send: [nss_winbind (43590)] Handling async
> request: GETPWNAM
> [2023/09/04 20:54:18.579701, 3]
> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
> [nss_winbind (43590)] Winbind external command GETPWNAM start.
> Query username 'NEWDOM\domain admins'.
> [2023/09/04 20:54:18.582975, 1]
> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid)
> XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH.
> [2023/09/04 20:54:18.582990, 1]
> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-435088123-233829246-2133031062-512:
> NT_STATUS_NO_SUCH_USER
> [2023/09/04 20:54:18.582995, 3]
> ../../source3/winbindd/winbindd.c:564(process_request_done)
> process_request_done: [nss_winbind(43590):GETPWNAM]:
> NT_STATUS_NO_SUCH_USER
>
> Another indication that /var/lib/samba/private/idmap.ldb is not used
> comes from the group lookup of domain admins:
>
> getent group '<DOMAIN-NAME>\domain admins'
>
> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber
> in idmap.ldb)
>
> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in
> the ldap record of the group)
>
>
> Would could cause this different behaviour (on these 2 very similar
> environments)?
You giving Domain Admins a gidNumber attribute, which by the way has
just broken sysvol.
Rowland
More information about the samba
mailing list