Well I upgraded from 4.4.6 to 4.5.0 and discovered that one of my user accounts is completely borked. What is very strange is that everything in Samba looks okay. Here is the first problem symptom. The data is from the DC. total 80 drwxr-xr-x. 7 root root 4096 Oct 9 01:15 . drwx------+ 77 SAMDOM\prg-11868bg SAMDOM\domain users 20480 Oct 9 00:55 prg-11868bg drwx------+ 39 3001108 SAMDOM\domain users 4096 Oct 9 00:30 sln-11868bg Note that the directory sln-11868bg is owned by 3001108 instead of SAMDOM\sln-11868bg. But everything seems like it should be correct. For example: > getent passwd sln-11868bg SAMDOM\sln-11868bg:*:3001108:3000513:John Q. Public:/home/sln-11868bg:/bin/bash > samba-tool user list sln-11868bg Administrator prg-11868bg krbtgt Guest > wbinfo -n sln-11868bg S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1) > wbinfo --sid-to-uid S-1-5-21-729452656-3029571206-2736118167-1143 3001108 >ldbedit -H /var/lib/samba/private/idmap.ldb # record 16 dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143 cn: S-1-5-21-729452656-3029571206-2736118167-1143 objectClass: sidMap objectSid: S-1-5-21-729452656-3029571206-2736118167-1143 type: ID_TYPE_BOTH xidNumber: 3000062 distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143 >ldbedit -H /var/lib/samba/private/sam.ldb (sanitized the record by changing addresses, telephone numbers and names) # record 274 dn: CN=John Q. Public,CN=Users,DC=samdom,DC=example,DC=com sn: Public c: US l: Some City st: InSomeState postalCode: 88888 givenName: John instanceType: 4 whenCreated: 20141220195750.0Z uSNCreated: 5115 co: United States company: SAMDOM objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564 badPwdCount: 0 codePage: 0 countryCode: 840 homeDirectory: \\nikita\home\sln-11868bg homeDrive: H: badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-729452656-3029571206-2736118167-1143 accountExpires: 9223372036854775807 sAMAccountName: sln-11868bg sAMAccountType: 805306368 userPrincipalName: sln-11868bg at samdom.example.com userAccountControl: 66048 memberOf: CN=Roaming Profiles and Folder Redirection Users,OU=SAMDOMOU,DC=samd om,DC=example,DC=com cn: John Q. Public name: John Q. Public streetAddress: 478 Some St. initials: Q displayName: John Q. Public gidNumber: 3000513 lockoutTime: 0 loginShell: /bin/bash mail: sPublic at example.com mobile: (555)555-5555 msDS-SupportedEncryptionTypes: 0 telephoneNumber: (555)555-5555 title: The Bigger Boss uidNumber: 3001108 unixHomeDirectory: /home/sln-11868bg objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co m profilePath: \\nikita\home\Profiles\sln-11868bg pwdLastSet: 131111097150000000 lastLogonTimestamp: 131203623889809690 whenChanged: 20161008010628.0Z uSNChanged: 5656 lastLogon: 131204700204284310 logonCount: 16 distinguishedName: CN=John Q. Public,CN=Users,DC=samdom,DC=example,DC=com Why is the owner showing up as the uidNumber 3001108 and not mapped to SAMDOM\sln-11868bg? I am desperate as my wife's Profile and Home directory can no longer be accessed. I am my wits end on this one. I see no reason why there should be an issue with this one account and my account and the Administrator's accounts are fine. Any suggestions? -- Paul (ganci at example.com) Cell: (303)257-5208
On Sun, 9 Oct 2016 01:58:00 -0600 "Paul R. Ganci via samba" <samba at lists.samba.org> wrote:> Well I upgraded from 4.4.6 to 4.5.0 and discovered that one of my > user accounts is completely borked. What is very strange is that > everything in Samba looks okay. Here is the first problem symptom. > The data is from the DC. > > total 80 > drwxr-xr-x. 7 root root 4096 Oct 9 > 01:15 . > drwx------+ 77 SAMDOM\prg-11868bg SAMDOM\domain users 20480 Oct 9 > 00:55 prg-11868bg > drwx------+ 39 3001108 SAMDOM\domain users 4096 Oct 9 > 00:30 sln-11868bg > > Note that the directory sln-11868bg is owned by 3001108 instead of > SAMDOM\sln-11868bg. But everything seems like it should be correct. > For example: > > > getent passwd sln-11868bg > SAMDOM\sln-11868bg:*:3001108:3000513:John Q. > Public:/home/sln-11868bg:/bin/bash > > > > samba-tool user list > sln-11868bg > Administrator > prg-11868bg > krbtgt > Guest > > > wbinfo -n sln-11868bg > S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1) > > > wbinfo --sid-to-uid S-1-5-21-729452656-3029571206-2736118167-1143 > 3001108 > > >ldbedit -H /var/lib/samba/private/idmap.ldb > # record 16 > dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143 > cn: S-1-5-21-729452656-3029571206-2736118167-1143 > objectClass: sidMap > objectSid: S-1-5-21-729452656-3029571206-2736118167-1143 > type: ID_TYPE_BOTH > xidNumber: 3000062 > distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143 > > >ldbedit -H /var/lib/samba/private/sam.ldb (sanitized the record by > changing addresses, telephone numbers and names) > # record 274 > dn: CN=John Q. Public,CN=Users,DC=samdom,DC=example,DC=com > sn: Public > c: US > l: Some City > st: InSomeState > postalCode: 88888 > givenName: John > instanceType: 4 > whenCreated: 20141220195750.0Z > uSNCreated: 5115 > co: United States > company: SAMDOM > objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564 > badPwdCount: 0 > codePage: 0 > countryCode: 840 > homeDirectory: \\nikita\home\sln-11868bg > homeDrive: H: > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-729452656-3029571206-2736118167-1143 > accountExpires: 9223372036854775807 > sAMAccountName: sln-11868bg > sAMAccountType: 805306368 > userPrincipalName: sln-11868bg at samdom.example.com > userAccountControl: 66048 > memberOf: CN=Roaming Profiles and Folder Redirection > Users,OU=SAMDOMOU,DC=samd > om,DC=example,DC=com > cn: John Q. Public > name: John Q. Public > streetAddress: 478 Some St. > initials: Q > displayName: John Q. Public > gidNumber: 3000513 > lockoutTime: 0 > loginShell: /bin/bash > mail: sPublic at example.com > mobile: (555)555-5555 > msDS-SupportedEncryptionTypes: 0 > telephoneNumber: (555)555-5555 > title: The Bigger Boss > uidNumber: 3001108 > unixHomeDirectory: /home/sln-11868bg > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co > m > profilePath: \\nikita\home\Profiles\sln-11868bg > pwdLastSet: 131111097150000000 > lastLogonTimestamp: 131203623889809690 > whenChanged: 20161008010628.0Z > uSNChanged: 5656 > lastLogon: 131204700204284310 > logonCount: 16 > distinguishedName: CN=John Q. > Public,CN=Users,DC=samdom,DC=example,DC=com > > Why is the owner showing up as the uidNumber 3001108 and not mapped > to SAMDOM\sln-11868bg? I am desperate as my wife's Profile and Home > directory can no longer be accessed. I am my wits end on this one. I > see no reason why there should be an issue with this one account and > my account and the Administrator's accounts are fine. Any suggestions? > >Have you by any chance got another 3001108 'xidNumber' in idmap.ldb ? If you give a user a 'uidNumber' attribute, the contents of this will be used instead of the 'xidNumber' in idmap.ldb, hence you do not need to (and probably shouldn't) use numbers in the '3000000' range. Rowland
On 10/09/2016 02:51 AM, Rowland Penny via samba wrote:> Have you by any chance got another 3001108 'xidNumber' in idmap.ldb ? > If you give a user a 'uidNumber' attribute, the contents of this will be > used instead of the 'xidNumber' in idmap.ldb, hence you do not need to > (and probably shouldn't) use numbers in the '3000000' range.I managed to make this right at least for the DC, two Windows 7 Professional boxes, and two CentOS 6 systems. I have one CentOS 6 VM that doesn't work but it would seem that has to be specific to the VM. In order to fix the problem I had "accidentally" removed this line idmap_ldb:use rfc2307 = yes from the DC /etc/samba/smb.conf # Global parameters [global] server string = Example Active Directory Server workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM netbios name = DC_EXAMPLE server role = active directory domain controller server services = -dns bind interfaces only = yes interfaces = br0 lo encrypt passwords = true kerberos method = secrets and keytab winbind use default domain = yes winbind offline logon = false winbind enum groups = yes winbind enum users = yes # winbind separator = + winbind nss info = rfc2307 map untrusted to domain = no template homedir = /home/%U template shell = /bin/bash idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samdom.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [Profiles] path = /home/Profiles/ read only = No [home] path = /home read only = No After I added back the missing line everything seemed to work again. The history to all this is that I am running the sernet-samba packages on a CentOS 6 system which seem to be not very compatible with sssd. Therefore I just want winbindd which is adequate for my purposes. To that end I tried to follow these wiki pages: https://wiki.samba.org/index.php/Idmap_config_ad https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD When I provisioned I had done so with rfc2307. So all the NIS extrensions are there. So this gets me to the problem at hand. First, there is actually no 3001108 xidNumber in the idmap.ldb. The xidNumber for this particular user is actually 3000062. For a user that works it turns out I apparently gave uidNumber = xidNumber = 3001107. I only have two users. I'm an unclear on what the correct thing to do in this case. Are you saying that since the xidNumbers are in the "3000000" I should not use uidNumbers in the same range? How should I "pick" the idmap ranges, the uidNumbers, etc.? Wouldn't the uidNumbers be independent from the xidNumbers which is why the addition of the "idmap_ldb:use rfc2307 = yes" in the DC smb.conf fixes the issue? Also on the member server side I have been using this smb.conf [global] workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM server string = Example Samba Server Version %v netbios name = EXAMPLE security = ads bind interfaces only = yes interfaces = br0 kerberos method = system keytab idmap config *:backend = tdb idmap config *:range = 1000000-2999999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 3000000-40000000 winbind nss info = rfc2307 winbind use default domain = true winbind offline logon = false winbind enum groups = yes winbind enum users = yes So what should I do at this point? Does it make sense to change the uidNumbers (possibly the gidNumbers too)? I really would like to make this right before I try to move the DC to other hardware. -- Paul (ganci at nurdog.com) Cell: (303)257-5208