Matthias Nagel
2008-Sep-08 08:07 UTC
[Samba] (Re-open Bug #3056) Tries to re-create Builtin-Groups over and over again
Hello everbody, first some technical data: Samba version: 3.0.28 Distro: Gentoo PDB backend: OpenLDAP 2.3.43 Server role: PDC My Samba server continuously complains about not beeing able to create the BUILTIN\Administrators and BUILTIN\Users group, because they already exist. groupdb/mapping.c:pdb_create_builtin_alias(739) pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS) auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators The latter is correct and I am wondering why Samba wants to re-create them. If I delete those group mappings from the LDAP directory, Samba re-creates them silently (of course with a different Unix group id) and a short time later the error recurrences. But apparently everything works fine, even nested group membership. For example if a type "groups administrator" on the console I get "BUILTIN\administratoren dadmins" where "dadmins" is the domain administrator group, which in turn is member of "BUILTIN\administratoren". "getent group" gives a correct output, too. After running Samba and OpenLDAP in debug mode (real-time logging to the console), I found the core of the problem. Inside the function "passdb/lookup_sid.c:sid_to_gid" the function "winbind_sid_to_gid" is invoked. And at this point I get the following errors in my logs: smbd[7917]: passdb/lookup_sid.c:sid_to_gid(1468) smbd[7917]: smbd: winbind failed to find a gid for sid S-1-5-32-544 and from the winbind daemon: winbindd[7905]: [2008/09/07 12:55:54, 5] nsswitch/winbindd_async.c:lookupsid_recv(706) winbindd[7905]: lookupsid returned an error winbindd[7905]: [2008/09/07 12:55:54, 5] nsswitch/winbindd_sid.c:sid2gid_lookupsid_recv(274) winbindd[7905]: sid2gid_lookupsid_recv: Could not convert get sid type for S-1-5-32-544 The problem is that winbindd refuses to look up SIDs that do not match my domain SID. For example "wbinfo -Y" works for domain SIDs, but not for builtin SIDs. This behavior is described in bug #3056 (https://bugzilla.samba.org/show_bug.cgi?id=3056). The proposed solution is to add an id range for the BUILTIN accounts. But the syntax for the "idmap" related option changed, and I do not get it working. My previous version of smb.conf looked like that: passdb backend = ldapsam:ldap://localhost ldap suffix = dc=schule,dc=gymnasiumportawestfalica,dc=de ldap admin dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldapsam:editposix=yes ldapsam:trusted = yes encrypt passwords = yes null passwords = yes ldap passwd sync = yes idmap domains = SCHULE idmap config SCHULE:backend = ldap idmap config SCHULE:readonly = no idmap config SCHULE:default = yes idmap config SCHULE:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap config SCHULE:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap config SCHULE:ldap_url = ldap://localhost idmap config SCHULE:range = 2000-65000 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap alloc config:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap alloc config:ldap_url = ldap://localhost idmap alloc config:range = 2000-65000 winbind enum groups = yes winbind enum users = yes After I read the bug description I changed it to: passdb backend = ldapsam:ldap://localhost ldap ssl = off ldap suffix = dc=schule,dc=gymnasiumportawestfalica,dc=de ldap admin dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldapsam:editposix=yes ldapsam:trusted = yes encrypt passwords = yes null passwords = yes guest account = gast ldap passwd sync = yes idmap domains = BUILTIN SCHULE idmap config SCHULE:backend = ldap idmap config SCHULE:readonly = no idmap config SCHULE:default = yes idmap config SCHULE:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap config SCHULE:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap config SCHULE:ldap_url = ldap://localhost idmap config BUILTIN:backend = ldap idmap config BUILTIN:readonly = no idmap config BUILTIN:default = no idmap config BUILTIN:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap config BUILTIN:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap config BUILTIN:ldap_url = ldap://localhost idmap uid = 2000-65000 idmap gid = 2000-65000 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap alloc config:ldap_user_dn = uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de idmap alloc config:ldap_url = ldap://localhost idmap alloc config:range = 2000-65000 winbind enum groups = yes winbind enum users = yes My directory looks like that: ########################################################################################### # # Container structure dn: dc=schule,dc=gymnasiumportawestfalica,dc=de objectClass: dcObject objectClass: organizationalUnit dc: schule ou: schule dn: uid=samba,dc=schule,dc=gymnasiumportawestfalica,dc=de objectClass: account objectClass: simpleSecurityObject uid: samba description: Account used by smbd and nmbd for read/write access userPassword: not for you dn: ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: Users objectClass: organizationalUnit dn: ou=Schild,ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: Schild objectClass: organizationalUnit dn: ou=WellKnown,ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: WellKnown objectClass: organizationalUnit dn: ou=Aux,ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: Aux objectClass: organizationalUnit dn: ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: Groups objectClass: organizationalUnit dn: ou=Schild,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: Schild objectClass: organizationalUnit dn: ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: WellKnown objectClass: organizationalUnit dn: ou=Aux,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: Aux objectClass: organizationalUnit dn: ou=Computers,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: Computers objectClass: organizationalUnit dn: ou=IdMap,dc=schule,dc=gymnasiumportawestfalica,dc=de ou: IdMap objectClass: organizationalUnit objectClass: sambaUnixIdPool uidNumber: 2004 gidNumber: 2048 ######################################################################### # # Samba Domain Info # dn: sambaDomainName=SCHULE,dc=schule,dc=gymnasiumportawestfalica,dc=de objectClass: sambaDomain sambaDomainName: SCHULE sambaSID: S-1-5-21-505984510-834225973-328464969 sambaAlgorithmicRidBase: 1000 sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 ######################################################################### # # Well-known groups # dn: sambaSID=S-1-5-32-544,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=d e objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-544 sambaGroupType: 4 gidNumber: 2000 sambaSIDList: S-1-5-21-505984510-834225973-328464969-512 displayName: Administratoren dn: sambaSID=S-1-5-32-545,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=d e objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Benutzer gidNumber: 2001 sambaSIDList: S-1-5-21-505984510-834225973-328464969-513 dn: sambaSID=S-1-5-32-546,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc =de objectClass: sambaSidEntry objectClass: sambaGroupMapping gidNumber: 2002 sambaSID: S-1-5-32-546 sambaGroupType: 4 displayName:: R8Okc3Rl sambaSIDList: S-1-5-21-505984510-834225973-328464969-514 dn: sambaSID=S-1-5-32-547,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc =de objectClass: sambaGroupMapping objectClass: sambaSidEntry gidNumber: 2003 sambaSID: S-1-5-32-547 sambaGroupType: 4 displayName: Hauptbenutzer dn: sambaSID=S-1-5-32-548,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc de objectClass: sambaGroupMapping objectClass: sambaSidEntry gidNumber: 2004 sambaSID: S-1-5-32-548 sambaGroupType: 4 displayName: Kontenoperatoren dn: sambaSID=S-1-5-32-549,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc de objectClass: sambaGroupMapping objectClass: sambaSidEntry gidNumber: 2005 sambaSID: S-1-5-32-549 sambaGroupType: 4 displayName: Serveroperatoren dn: sambaSID=S-1-5-32-550,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc de objectClass: sambaGroupMapping objectClass: sambaSidEntry gidNumber: 2006 sambaSID: S-1-5-32-550 sambaGroupType: 4 displayName: Druckoperatoren dn: sambaSID=S-1-5-32-551,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc =de objectClass: sambaGroupMapping objectClass: sambaSidEntry gidNumber: 2007 sambaSID: S-1-5-32-551 sambaGroupType: 4 displayName: Sicherungsoperatoren dn: sambaSID=S-1-5-32-552,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc =de objectClass: sambaGroupMapping objectClass: sambaSidEntry gidNumber: 2008 sambaSID: S-1-5-32-552 sambaGroupType: 4 displayName: Replikationsoperatoren # domain users dn: cn=dadmins,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc =de objectClass: posixGroup objectClass: sambaGroupMapping cn: dadmins gidNumber: 2009 sambaSID: S-1-5-21-505984510-834225973-328464969-512 sambaGroupType: 2 displayName:: RG9tw6RuZW4tQWRtaW5pc3RyYXRvcmVu dn: cn=dusers,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc de objectClass: posixGroup objectClass: sambaGroupMapping cn: dusers gidNumber: 2010 sambaSID: S-1-5-21-505984510-834225973-328464969-513 sambaGroupType: 2 displayName:: RG9tw6RuZW4tQmVudXR6ZXI dn: cn=dguests,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc =de objectClass: posixGroup objectClass: sambaGroupMapping cn: dguests gidNumber: 2011 sambaSID: S-1-5-21-505984510-834225973-328464969-514 sambaGroupType: 2 displayName:: RG9tw6RuZW4tR8Okc3Rl dn: cn=dcomp,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,dc=d e objectClass: posixGroup objectClass: sambaGroupMapping cn: dcomp gidNumber: 2012 sambaSID: S-1-5-21-505984510-834225973-328464969-515 sambaGroupType: 2 displayName:: RG9tw6RuZW4tQ29tcHV0ZXI dn: cn=dcontrol,ou=WellKnown,ou=Groups,dc=schule,dc=gymnasiumportawestfalica,d c=de objectClass: posixGroup objectClass: sambaGroupMapping cn: dcontrol gidNumber: 2013 sambaSID: S-1-5-21-505984510-834225973-328464969-516 sambaGroupType: 2 displayName:: RG9tw6RuZW4tQ29udHJvbGxlcg= ######################################################################### # # Well-known users # # dn: uid=administrator,ou=WellKnown,ou=Users,dc=schule,dc=gymnasiumportawestfal ica,dc=de objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount uid: administrator cn: Administrator displayName: Adminstrator uidNumber: 2000 gidNumber: 2009 homeDirectory: /home/Administrator loginShell: /bin/bash sambaSID: S-1-5-21-505984510-834225973-328464969-500 sambaAcctFlags: [U ] sambaLMPassword: not for you sambaNTPassword: not for you sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdLastSet: 1220704664 userPassword: not for you dn: uid=gast,ou=WellKnown,ou=Users,dc=schule,dc=gymnasiumportawestfalica,dc=de objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount uid: gast cn: Gast displayName: Gast uidNumber: 2001 gidNumber: 2011 homeDirectory: /home/Gast loginShell: /bin/bash sambaSID: S-1-5-21-505984510-834225973-328464969-501 sambaAcctFlags: [DU ] dn: uid=server$,ou=Computers,dc=schule,dc=gymnasiumportawestfalica,dc=de objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount uid: server$ cn: server$ displayName: server uidNumber: 2002 gidNumber: 2013 homeDirectory: /dev/null loginShell: /bin/false sambaSID: S-1-5-21-505984510-834225973-328464969-5004 sambaPrimaryGroupSID: S-1-5-21-505984510-834225973-328464969-516 sambaAcctFlags: [S ] sambaLMPassword: not for you sambaNTPassword: not for you Any suggestions? Beside this major problem I have some minor questions that might be related to this problem: 1) What is the correct start sequence for the daemons? First winbind and then smbd/nmbd or the other way round? 2) Do I need to create a "sambaDomainEntry" for BUILTIN in the directory? 3) After I started winbind there is a long delay (15 minutes) before "wbinfo" works at all. Why? Matthias Nagel