Rowland Penny
2023-Sep-04 20:26 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On Mon, 4 Sep 2023 22:09:35 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote:> Hi Team, > > > I am setting up a new AD-domain, the first DC is just operational and > some users and groups are created. > > This run on Debian 11, Samba 4.18.6 and it is set up with the same > (but evolved) Ansible code I used for my other domains (all of them > on different networks and independent of each other). The older > domains were initially set up with Samba 4.14 and another with 4.15 > and upgraded many times since, the new setup with 4.18.6. In all > places gets installed from the same debian packages. > > Due to the repeatable Ansible setup the /etc/samba/smb.conf is > exactly the same (apart from the domain name etc.) on the existing > domains and the new domain. And all domains were provisioned with > '--use-rfc2307'. > > 'samba-tool processes | wc -l' is equal between old and new: 24 > lines. And ps aux | grep winbindd also shows an equal number of > winbind processes. > > '/etc/nsswitch.conf' is also equal and includes winbind for passwd > and group. > > > Now the mystery starts: there is a difference in id (uid/gid) lookups > on a DC between the older domains and the new domain. > > It looks like the new domain is not querying > /var/lib/samba/private/idmap.ldb (but is does exist there), whereas > the older once are. > > As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins' > > On the old domain(s) this results (as expected) in: > > OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash > > But on the new domain the lookup has no result. > > The winbind logging is equally different, on the old domain (success): > > [2023/09/04 20:55:56.243929,? 3] > ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > ? winbindd_interface_version: [nss_winbind (2502996)]: request > interface version (version = 32) > [2023/09/04 20:55:56.243999,? 3] > ../../source3/winbindd/winbindd.c:497(process_request_send) > ? process_request_send: [nss_winbind (2502996)] Handling async > request: GETPWNAM > [2023/09/04 20:55:56.244007,? 3] > ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) > ? [nss_winbind (2502996)] Winbind external command GETPWNAM start. > ? Query username 'OLDDOM\domain admins'. > [2023/09/04 20:55:56.244312,? 3] > ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv) > ? Winbind external command GETPWNAM end. > ? (name:passwd:uid:gid:gecos:dir:shell) > ? OLDDOM\domain admins:*:3000004:3000004::/home/domain > admins:/bin/bash [2023/09/04 20:55:56.244322,? 3] > ../../source3/winbindd/winbindd.c:564(process_request_done) > ? process_request_done: [nss_winbind(2502996):GETPWNAM]: NT_STATUS_OK > [2023/09/04 20:55:57.091601,? 3] > ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > ? winbindd_interface_version: [nss_winbind (2502997)]: request > interface version (version = 32) > [2023/09/04 20:55:57.091800,? 3] > ../../source3/winbindd/winbindd.c:497(process_request_send) > ? process_request_send: [nss_winbind (2502997)] Handling async > request: GETGROUPS > [2023/09/04 20:55:57.091817,? 3] > ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send) > ? [nss_winbind (2502997)] Winbind external command GETGROUPS start. > ? Searching groups for username 'root'. > [2023/09/04 20:55:57.093936,? 3] > ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached) > ? : lookup_usergroups_cached > [2023/09/04 20:55:57.106212,? 3] > ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv) > ? Winbind external command GETGROUPS end. > ? Received 2 entries. > [2023/09/04 20:55:57.106337,? 3] > ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) > ? 0: GID 10000 > [2023/09/04 20:55:57.106344,? 3] > ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) > ? 1: GID 10019 > [2023/09/04 20:55:57.106350,? 3] > ../../source3/winbindd/winbindd.c:564(process_request_done) > ? process_request_done: [nss_winbind(2502997):GETGROUPS]: > NT_STATUS_OK > > On the new domain (no result): > > [2023/09/04 20:54:18.579629,? 3] > ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > ? winbindd_interface_version: [nss_winbind (43590)]: request > interface version (version = 32) > [2023/09/04 20:54:18.579686,? 3] > ../../source3/winbindd/winbindd.c:497(process_request_send) > ? process_request_send: [nss_winbind (43590)] Handling async > request: GETPWNAM > [2023/09/04 20:54:18.579701,? 3] > ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) > ? [nss_winbind (43590)] Winbind external command GETPWNAM start. > ? Query username 'NEWDOM\domain admins'. > [2023/09/04 20:54:18.582975,? 1] > ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid) > ? XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH. > [2023/09/04 20:54:18.582990,? 1] > ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv) > ? Could not convert sid S-1-5-21-435088123-233829246-2133031062-512: > NT_STATUS_NO_SUCH_USER > [2023/09/04 20:54:18.582995,? 3] > ../../source3/winbindd/winbindd.c:564(process_request_done) > ? process_request_done: [nss_winbind(43590):GETPWNAM]: > NT_STATUS_NO_SUCH_USER > > Another indication that /var/lib/samba/private/idmap.ldb is not used > comes from the group lookup of domain admins: > > getent group '<DOMAIN-NAME>\domain admins' > > Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber > in idmap.ldb) > > New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in > the ldap record of the group) > > > Would could cause this different behaviour (on these 2 very similar > environments)?You giving Domain Admins a gidNumber attribute, which by the way has just broken sysvol. Rowland
Kees van Vloten
2023-Sep-04 20:30 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On 04-09-2023 22:26, Rowland Penny via samba wrote:> On Mon, 4 Sep 2023 22:09:35 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Hi Team, >> >> >> I am setting up a new AD-domain, the first DC is just operational and >> some users and groups are created. >> >> This run on Debian 11, Samba 4.18.6 and it is set up with the same >> (but evolved) Ansible code I used for my other domains (all of them >> on different networks and independent of each other). The older >> domains were initially set up with Samba 4.14 and another with 4.15 >> and upgraded many times since, the new setup with 4.18.6. In all >> places gets installed from the same debian packages. >> >> Due to the repeatable Ansible setup the /etc/samba/smb.conf is >> exactly the same (apart from the domain name etc.) on the existing >> domains and the new domain. And all domains were provisioned with >> '--use-rfc2307'. >> >> 'samba-tool processes | wc -l' is equal between old and new: 24 >> lines. And ps aux | grep winbindd also shows an equal number of >> winbind processes. >> >> '/etc/nsswitch.conf' is also equal and includes winbind for passwd >> and group. >> >> >> Now the mystery starts: there is a difference in id (uid/gid) lookups >> on a DC between the older domains and the new domain. >> >> It looks like the new domain is not querying >> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas >> the older once are. >> >> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins' >> >> On the old domain(s) this results (as expected) in: >> >> OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash >> >> But on the new domain the lookup has no result. >> >> The winbind logging is equally different, on the old domain (success): >> >> [2023/09/04 20:55:56.243929,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (2502996)]: request >> interface version (version = 32) >> [2023/09/04 20:55:56.243999,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (2502996)] Handling async >> request: GETPWNAM >> [2023/09/04 20:55:56.244007,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) >> ? [nss_winbind (2502996)] Winbind external command GETPWNAM start. >> ? Query username 'OLDDOM\domain admins'. >> [2023/09/04 20:55:56.244312,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv) >> ? Winbind external command GETPWNAM end. >> ? (name:passwd:uid:gid:gecos:dir:shell) >> ? OLDDOM\domain admins:*:3000004:3000004::/home/domain >> admins:/bin/bash [2023/09/04 20:55:56.244322,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(2502996):GETPWNAM]: NT_STATUS_OK >> [2023/09/04 20:55:57.091601,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (2502997)]: request >> interface version (version = 32) >> [2023/09/04 20:55:57.091800,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (2502997)] Handling async >> request: GETGROUPS >> [2023/09/04 20:55:57.091817,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send) >> ? [nss_winbind (2502997)] Winbind external command GETGROUPS start. >> ? Searching groups for username 'root'. >> [2023/09/04 20:55:57.093936,? 3] >> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached) >> ? : lookup_usergroups_cached >> [2023/09/04 20:55:57.106212,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv) >> ? Winbind external command GETGROUPS end. >> ? Received 2 entries. >> [2023/09/04 20:55:57.106337,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) >> ? 0: GID 10000 >> [2023/09/04 20:55:57.106344,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) >> ? 1: GID 10019 >> [2023/09/04 20:55:57.106350,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(2502997):GETGROUPS]: >> NT_STATUS_OK >> >> On the new domain (no result): >> >> [2023/09/04 20:54:18.579629,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (43590)]: request >> interface version (version = 32) >> [2023/09/04 20:54:18.579686,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (43590)] Handling async >> request: GETPWNAM >> [2023/09/04 20:54:18.579701,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) >> ? [nss_winbind (43590)] Winbind external command GETPWNAM start. >> ? Query username 'NEWDOM\domain admins'. >> [2023/09/04 20:54:18.582975,? 1] >> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid) >> ? XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH. >> [2023/09/04 20:54:18.582990,? 1] >> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv) >> ? Could not convert sid S-1-5-21-435088123-233829246-2133031062-512: >> NT_STATUS_NO_SUCH_USER >> [2023/09/04 20:54:18.582995,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(43590):GETPWNAM]: >> NT_STATUS_NO_SUCH_USER >> >> Another indication that /var/lib/samba/private/idmap.ldb is not used >> comes from the group lookup of domain admins: >> >> getent group '<DOMAIN-NAME>\domain admins' >> >> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber >> in idmap.ldb) >> >> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in >> the ldap record of the group) >> >> >> Would could cause this different behaviour (on these 2 very similar >> environments)? > You giving Domain Admins a gidNumber attribute, which by the way has > just broken sysvol. > > Rowland > >That is not unique for the new domain, all my domains have it and as you see above it works on the other one... On old domain: samba-tool group show 'domain admins': dn: CN=Domain Admins,CN=Users,DC=composers,DC=lan sAMAccountName: Domain Admins gidNumber: 10047
Kees van Vloten
2023-Sep-04 20:50 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On 04-09-2023 22:26, Rowland Penny via samba wrote:> On Mon, 4 Sep 2023 22:09:35 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Hi Team, >> >> >> I am setting up a new AD-domain, the first DC is just operational and >> some users and groups are created. >> >> This run on Debian 11, Samba 4.18.6 and it is set up with the same >> (but evolved) Ansible code I used for my other domains (all of them >> on different networks and independent of each other). The older >> domains were initially set up with Samba 4.14 and another with 4.15 >> and upgraded many times since, the new setup with 4.18.6. In all >> places gets installed from the same debian packages. >> >> Due to the repeatable Ansible setup the /etc/samba/smb.conf is >> exactly the same (apart from the domain name etc.) on the existing >> domains and the new domain. And all domains were provisioned with >> '--use-rfc2307'. >> >> 'samba-tool processes | wc -l' is equal between old and new: 24 >> lines. And ps aux | grep winbindd also shows an equal number of >> winbind processes. >> >> '/etc/nsswitch.conf' is also equal and includes winbind for passwd >> and group. >> >> >> Now the mystery starts: there is a difference in id (uid/gid) lookups >> on a DC between the older domains and the new domain. >> >> It looks like the new domain is not querying >> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas >> the older once are. >> >> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins' >> >> On the old domain(s) this results (as expected) in: >> >> OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash >> >> But on the new domain the lookup has no result. >> >> The winbind logging is equally different, on the old domain (success): >> >> [2023/09/04 20:55:56.243929,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (2502996)]: request >> interface version (version = 32) >> [2023/09/04 20:55:56.243999,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (2502996)] Handling async >> request: GETPWNAM >> [2023/09/04 20:55:56.244007,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) >> ? [nss_winbind (2502996)] Winbind external command GETPWNAM start. >> ? Query username 'OLDDOM\domain admins'. >> [2023/09/04 20:55:56.244312,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv) >> ? Winbind external command GETPWNAM end. >> ? (name:passwd:uid:gid:gecos:dir:shell) >> ? OLDDOM\domain admins:*:3000004:3000004::/home/domain >> admins:/bin/bash [2023/09/04 20:55:56.244322,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(2502996):GETPWNAM]: NT_STATUS_OK >> [2023/09/04 20:55:57.091601,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (2502997)]: request >> interface version (version = 32) >> [2023/09/04 20:55:57.091800,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (2502997)] Handling async >> request: GETGROUPS >> [2023/09/04 20:55:57.091817,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send) >> ? [nss_winbind (2502997)] Winbind external command GETGROUPS start. >> ? Searching groups for username 'root'. >> [2023/09/04 20:55:57.093936,? 3] >> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached) >> ? : lookup_usergroups_cached >> [2023/09/04 20:55:57.106212,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv) >> ? Winbind external command GETGROUPS end. >> ? Received 2 entries. >> [2023/09/04 20:55:57.106337,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) >> ? 0: GID 10000 >> [2023/09/04 20:55:57.106344,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) >> ? 1: GID 10019 >> [2023/09/04 20:55:57.106350,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(2502997):GETGROUPS]: >> NT_STATUS_OK >> >> On the new domain (no result): >> >> [2023/09/04 20:54:18.579629,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (43590)]: request >> interface version (version = 32) >> [2023/09/04 20:54:18.579686,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (43590)] Handling async >> request: GETPWNAM >> [2023/09/04 20:54:18.579701,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) >> ? [nss_winbind (43590)] Winbind external command GETPWNAM start. >> ? Query username 'NEWDOM\domain admins'. >> [2023/09/04 20:54:18.582975,? 1] >> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid) >> ? XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH. >> [2023/09/04 20:54:18.582990,? 1] >> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv) >> ? Could not convert sid S-1-5-21-435088123-233829246-2133031062-512: >> NT_STATUS_NO_SUCH_USER >> [2023/09/04 20:54:18.582995,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(43590):GETPWNAM]: >> NT_STATUS_NO_SUCH_USER >> >> Another indication that /var/lib/samba/private/idmap.ldb is not used >> comes from the group lookup of domain admins: >> >> getent group '<DOMAIN-NAME>\domain admins' >> >> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber >> in idmap.ldb) >> >> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in >> the ldap record of the group) >> >> >> Would could cause this different behaviour (on these 2 very similar >> environments)? > You giving Domain Admins a gidNumber attribute, which by the way has > just broken sysvol. > > Rowland > >ok, it was worth testing your hypothesis: # destroy domain: dpkg -l | grep 4.18.6 | awk '{print $2}' | xargs apt-get -y purge # everything including /var/lib/samba is removed # rerun ansible playbook for samba_dc_install getent group 'domain admins' # no result So no more gidNumber from the ldap group record, but nothing from idmap.ldb either :-( - Kees.