Rowland Penny
2023-Sep-04 21:04 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On Mon, 4 Sep 2023 22:50:56 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > On 04-09-2023 22:26, Rowland Penny via samba wrote: > > On Mon, 4 Sep 2023 22:09:35 +0200 > > Kees van Vloten via samba <samba at lists.samba.org> wrote: > > > >> Hi Team, > >> > >> > >> I am setting up a new AD-domain, the first DC is just operational > >> and some users and groups are created. > >> > >> This run on Debian 11, Samba 4.18.6 and it is set up with the same > >> (but evolved) Ansible code I used for my other domains (all of them > >> on different networks and independent of each other). The older > >> domains were initially set up with Samba 4.14 and another with 4.15 > >> and upgraded many times since, the new setup with 4.18.6. In all > >> places gets installed from the same debian packages. > >> > >> Due to the repeatable Ansible setup the /etc/samba/smb.conf is > >> exactly the same (apart from the domain name etc.) on the existing > >> domains and the new domain. And all domains were provisioned with > >> '--use-rfc2307'. > >> > >> 'samba-tool processes | wc -l' is equal between old and new: 24 > >> lines. And ps aux | grep winbindd also shows an equal number of > >> winbind processes. > >> > >> '/etc/nsswitch.conf' is also equal and includes winbind for passwd > >> and group. > >> > >> > >> Now the mystery starts: there is a difference in id (uid/gid) > >> lookups on a DC between the older domains and the new domain. > >> > >> It looks like the new domain is not querying > >> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas > >> the older once are. > >> > >> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins' > >> > >> On the old domain(s) this results (as expected) in: > >> > >> OLDDOM\domain admins:*:3000004:3000004::/home/domain > >> admins:/bin/bash > >> > >> But on the new domain the lookup has no result. > >> > >> The winbind logging is equally different, on the old domain > >> (success): > >> > >> [2023/09/04 20:55:56.243929,? 3] > >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > >> ? winbindd_interface_version: [nss_winbind (2502996)]: request > >> interface version (version = 32) > >> [2023/09/04 20:55:56.243999,? 3] > >> ../../source3/winbindd/winbindd.c:497(process_request_send) > >> ? process_request_send: [nss_winbind (2502996)] Handling async > >> request: GETPWNAM > >> [2023/09/04 20:55:56.244007,? 3] > >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) > >> ? [nss_winbind (2502996)] Winbind external command GETPWNAM > >> start. Query username 'OLDDOM\domain admins'. > >> [2023/09/04 20:55:56.244312,? 3] > >> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv) > >> ? Winbind external command GETPWNAM end. > >> ? (name:passwd:uid:gid:gecos:dir:shell) > >> ? OLDDOM\domain admins:*:3000004:3000004::/home/domain > >> admins:/bin/bash [2023/09/04 20:55:56.244322,? 3] > >> ../../source3/winbindd/winbindd.c:564(process_request_done) > >> ? process_request_done: [nss_winbind(2502996):GETPWNAM]: > >> NT_STATUS_OK [2023/09/04 20:55:57.091601,? 3] > >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > >> ? winbindd_interface_version: [nss_winbind (2502997)]: request > >> interface version (version = 32) > >> [2023/09/04 20:55:57.091800,? 3] > >> ../../source3/winbindd/winbindd.c:497(process_request_send) > >> ? process_request_send: [nss_winbind (2502997)] Handling async > >> request: GETGROUPS > >> [2023/09/04 20:55:57.091817,? 3] > >> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send) > >> ? [nss_winbind (2502997)] Winbind external command GETGROUPS > >> start. Searching groups for username 'root'. > >> [2023/09/04 20:55:57.093936,? 3] > >> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached) > >> ? : lookup_usergroups_cached > >> [2023/09/04 20:55:57.106212,? 3] > >> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv) > >> ? Winbind external command GETGROUPS end. > >> ? Received 2 entries. > >> [2023/09/04 20:55:57.106337,? 3] > >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) > >> ? 0: GID 10000 > >> [2023/09/04 20:55:57.106344,? 3] > >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) > >> ? 1: GID 10019 > >> [2023/09/04 20:55:57.106350,? 3] > >> ../../source3/winbindd/winbindd.c:564(process_request_done) > >> ? process_request_done: [nss_winbind(2502997):GETGROUPS]: > >> NT_STATUS_OK > >> > >> On the new domain (no result): > >> > >> [2023/09/04 20:54:18.579629,? 3] > >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > >> ? winbindd_interface_version: [nss_winbind (43590)]: request > >> interface version (version = 32) > >> [2023/09/04 20:54:18.579686,? 3] > >> ../../source3/winbindd/winbindd.c:497(process_request_send) > >> ? process_request_send: [nss_winbind (43590)] Handling async > >> request: GETPWNAM > >> [2023/09/04 20:54:18.579701,? 3] > >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) > >> ? [nss_winbind (43590)] Winbind external command GETPWNAM start. > >> ? Query username 'NEWDOM\domain admins'. > >> [2023/09/04 20:54:18.582975,? 1] > >> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid) > >> ? XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH. > >> [2023/09/04 20:54:18.582990,? 1] > >> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv) > >> ? Could not convert sid > >> S-1-5-21-435088123-233829246-2133031062-512: NT_STATUS_NO_SUCH_USER > >> [2023/09/04 20:54:18.582995,? 3] > >> ../../source3/winbindd/winbindd.c:564(process_request_done) > >> ? process_request_done: [nss_winbind(43590):GETPWNAM]: > >> NT_STATUS_NO_SUCH_USER > >> > >> Another indication that /var/lib/samba/private/idmap.ldb is not > >> used comes from the group lookup of domain admins: > >> > >> getent group '<DOMAIN-NAME>\domain admins' > >> > >> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the > >> xidNumber in idmap.ldb) > >> > >> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber > >> in the ldap record of the group) > >> > >> > >> Would could cause this different behaviour (on these 2 very similar > >> environments)? > > You giving Domain Admins a gidNumber attribute, which by the way has > > just broken sysvol. > > > > Rowland > > > > > ok, it was worth testing your hypothesis: > > # destroy domain: > dpkg -l | grep 4.18.6 | awk '{print $2}' | xargs apt-get -y purge > # everything including /var/lib/samba is removed > > # rerun ansible playbook for samba_dc_install > > getent group 'domain admins' > # no result > > So no more gidNumber from the ldap group record, but nothing from > idmap.ldb either :-( > > - Kees. > > >It has worked for over 10 years, so if it has stopped working, why? These are probably stupid questions, but are libpam-winbind and libnss-winbind installed ? Also is /etc/nsswitch.conf set up correctly? Rowland
Kees van Vloten
2023-Sep-05 07:37 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
Op 04-09-2023 om 23:04 schreef Rowland Penny via samba:> On Mon, 4 Sep 2023 22:50:56 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> On 04-09-2023 22:26, Rowland Penny via samba wrote: >>> On Mon, 4 Sep 2023 22:09:35 +0200 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>> >>>> Hi Team, >>>> >>>> >>>> I am setting up a new AD-domain, the first DC is just operational >>>> and some users and groups are created. >>>> >>>> This run on Debian 11, Samba 4.18.6 and it is set up with the same >>>> (but evolved) Ansible code I used for my other domains (all of them >>>> on different networks and independent of each other). The older >>>> domains were initially set up with Samba 4.14 and another with 4.15 >>>> and upgraded many times since, the new setup with 4.18.6. In all >>>> places gets installed from the same debian packages. >>>> >>>> Due to the repeatable Ansible setup the /etc/samba/smb.conf is >>>> exactly the same (apart from the domain name etc.) on the existing >>>> domains and the new domain. And all domains were provisioned with >>>> '--use-rfc2307'. >>>> >>>> 'samba-tool processes | wc -l' is equal between old and new: 24 >>>> lines. And ps aux | grep winbindd also shows an equal number of >>>> winbind processes. >>>> >>>> '/etc/nsswitch.conf' is also equal and includes winbind for passwd >>>> and group. >>>> >>>> >>>> Now the mystery starts: there is a difference in id (uid/gid) >>>> lookups on a DC between the older domains and the new domain. >>>> >>>> It looks like the new domain is not querying >>>> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas >>>> the older once are. >>>> >>>> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins' >>>> >>>> On the old domain(s) this results (as expected) in: >>>> >>>> OLDDOM\domain admins:*:3000004:3000004::/home/domain >>>> admins:/bin/bash >>>> >>>> But on the new domain the lookup has no result. >>>> >>>> The winbind logging is equally different, on the old domain >>>> (success): >>>> >>>> [2023/09/04 20:55:56.243929,? 3] >>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >>>> ? winbindd_interface_version: [nss_winbind (2502996)]: request >>>> interface version (version = 32) >>>> [2023/09/04 20:55:56.243999,? 3] >>>> ../../source3/winbindd/winbindd.c:497(process_request_send) >>>> ? process_request_send: [nss_winbind (2502996)] Handling async >>>> request: GETPWNAM >>>> [2023/09/04 20:55:56.244007,? 3] >>>> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) >>>> ? [nss_winbind (2502996)] Winbind external command GETPWNAM >>>> start. Query username 'OLDDOM\domain admins'. >>>> [2023/09/04 20:55:56.244312,? 3] >>>> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv) >>>> ? Winbind external command GETPWNAM end. >>>> ? (name:passwd:uid:gid:gecos:dir:shell) >>>> ? OLDDOM\domain admins:*:3000004:3000004::/home/domain >>>> admins:/bin/bash [2023/09/04 20:55:56.244322,? 3] >>>> ../../source3/winbindd/winbindd.c:564(process_request_done) >>>> ? process_request_done: [nss_winbind(2502996):GETPWNAM]: >>>> NT_STATUS_OK [2023/09/04 20:55:57.091601,? 3] >>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >>>> ? winbindd_interface_version: [nss_winbind (2502997)]: request >>>> interface version (version = 32) >>>> [2023/09/04 20:55:57.091800,? 3] >>>> ../../source3/winbindd/winbindd.c:497(process_request_send) >>>> ? process_request_send: [nss_winbind (2502997)] Handling async >>>> request: GETGROUPS >>>> [2023/09/04 20:55:57.091817,? 3] >>>> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send) >>>> ? [nss_winbind (2502997)] Winbind external command GETGROUPS >>>> start. Searching groups for username 'root'. >>>> [2023/09/04 20:55:57.093936,? 3] >>>> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached) >>>> ? : lookup_usergroups_cached >>>> [2023/09/04 20:55:57.106212,? 3] >>>> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv) >>>> ? Winbind external command GETGROUPS end. >>>> ? Received 2 entries. >>>> [2023/09/04 20:55:57.106337,? 3] >>>> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) >>>> ? 0: GID 10000 >>>> [2023/09/04 20:55:57.106344,? 3] >>>> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) >>>> ? 1: GID 10019 >>>> [2023/09/04 20:55:57.106350,? 3] >>>> ../../source3/winbindd/winbindd.c:564(process_request_done) >>>> ? process_request_done: [nss_winbind(2502997):GETGROUPS]: >>>> NT_STATUS_OK >>>> >>>> On the new domain (no result): >>>> >>>> [2023/09/04 20:54:18.579629,? 3] >>>> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >>>> ? winbindd_interface_version: [nss_winbind (43590)]: request >>>> interface version (version = 32) >>>> [2023/09/04 20:54:18.579686,? 3] >>>> ../../source3/winbindd/winbindd.c:497(process_request_send) >>>> ? process_request_send: [nss_winbind (43590)] Handling async >>>> request: GETPWNAM >>>> [2023/09/04 20:54:18.579701,? 3] >>>> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) >>>> ? [nss_winbind (43590)] Winbind external command GETPWNAM start. >>>> ? Query username 'NEWDOM\domain admins'. >>>> [2023/09/04 20:54:18.582975,? 1] >>>> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid) >>>> ? XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH. >>>> [2023/09/04 20:54:18.582990,? 1] >>>> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv) >>>> ? Could not convert sid >>>> S-1-5-21-435088123-233829246-2133031062-512: NT_STATUS_NO_SUCH_USER >>>> [2023/09/04 20:54:18.582995,? 3] >>>> ../../source3/winbindd/winbindd.c:564(process_request_done) >>>> ? process_request_done: [nss_winbind(43590):GETPWNAM]: >>>> NT_STATUS_NO_SUCH_USER >>>> >>>> Another indication that /var/lib/samba/private/idmap.ldb is not >>>> used comes from the group lookup of domain admins: >>>> >>>> getent group '<DOMAIN-NAME>\domain admins' >>>> >>>> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the >>>> xidNumber in idmap.ldb) >>>> >>>> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber >>>> in the ldap record of the group) >>>> >>>> >>>> Would could cause this different behaviour (on these 2 very similar >>>> environments)? >>> You giving Domain Admins a gidNumber attribute, which by the way has >>> just broken sysvol.This is required to be able to use 'domain admins' on Linux member-server when idmap = ad. Normally the idmap.ldb xidNumber has priority over gidNumber when the GID lookup is done on a DC. On this new domain it looks like winbindd is not doing an attempt to lookup the xidNumber, as you can see in the logs above.>>> >>> Rowland >>> >>> >> ok, it was worth testing your hypothesis: >> >> # destroy domain: >> dpkg -l | grep 4.18.6 | awk '{print $2}' | xargs apt-get -y purge >> # everything including /var/lib/samba is removed >> >> # rerun ansible playbook for samba_dc_install >> >> getent group 'domain admins' >> # no result >> >> So no more gidNumber from the ldap group record, but nothing from >> idmap.ldb either :-( >> >> - Kees. >> >> >> > It has worked for over 10 years, so if it has stopped working, why? > These are probably stupid questions, but are libpam-winbind and > libnss-winbind installed ? Also is /etc/nsswitch.conf set up correctly?The reason for this post is that I am puzzled myself, have been looking into it for a few days now and I can't figure it out. I am using the Debian packages (on bullseye) and indeed I checked if libnss-winbind is in place (and it is :-) ). nsswitch.conf is in order, otherwise I would not get answers from winbind in the first place. As the log fragments above show, it does reach winbind and gets logged. I am thinking about reverting to older versions of Samba (4.17, 4.16, 4.15) to see if it works then. I known for sure it worked with the same setup in May last year. Although the code runs on the existing domains on every Samba upgrade, I have not set up new domains since then.> > Rowland >