Hi The server suddenly changed the uid + gid. this happened to times, yesterday and the week after. The default group at example The samba is a AD member where we have many users (>20 000) and we use autorid in that way [global] security = ads workgroup = CUSTOMER realm = CUSTOMER.COM winbind use default domain = yes winbind enum users = yes winbind enum group = yes idmap config * : backend = autorid idmap config * : range = 1000000-8999999999 OS debian 10 DC Microsoft At the moment I have two questions: Why this happened and is there a way to stop the disaster? Is there a quick way to repair the disaster? I infects the profile directory used with acl. thank you
Виктор
2019-Nov-03 04:16 UTC
[Samba] [smbd] get_static_share_mode_data failed: NT_STATUS_NO_MEMORY
Hi all. help please: # systemctl status smbd.service ... Nov 03 06:53:09 server1.local.my smbd[4585]: [2019/11/03 06:53:09.857837,? 1] ../../source3/locking/share_mode_lock.c:597(get_share_mode_lock) Nov 03 06:53:09 server1.local.my smbd[4585]:?? get_share_mode_lock: get_static_share_mode_data failed: NT_STATUS_NO_MEMORY ... current version (but w older too) # smbd -V Version 4.11.2 client - macos, (time machine session). where can i add this memory? testparm -sv | grep size ??? ldap page size = 1000 ??? max disk size = 0 ??? max log size = 10000 ??? max stat cache size = 0 ??? min receivefile size = 0 ??? aio read size = 1 ??? aio write size = 1 ??? allocation roundup size = 0 ??? block size = 4096 ??? directory name cache size = 100 ??? write cache size = 2097152
On 02/11/2019 23:18, Hilberg via samba wrote:> Hi > > The server suddenly changed the uid + gid. this happened to times, > yesterday and the week after. The default group at example > The samba is a AD member where we have many users (>20 000) and we use > autorid in that way > [global] > ? security = ads > ? workgroup = CUSTOMER > ? realm = CUSTOMER.COM > ? winbind use default domain = yes > ? winbind enum users = yes > ? winbind enum group = yes > ? idmap config * : backend = autorid > ? idmap config * : range = 1000000-8999999999 > > OS debian 10 > DC Microsoft > > At the moment I have two questions: > Why this happened and is there a way to stop the disaster? > Is there a quick way to repair the disaster? I infects the profile > directory used with acl. > > thank you >Please do not post things like this to the samba-technical list. As I said, you cannot use 'winbind use default domain = yes' with 'autorid', it makes all users and groups members of the same domain, this is probably what has happened here. Remove the line, this should stop it happening again If you have only one domain, then you shouldn't be using autorid, you should be using rid instead, unfortunately it is probably too late now. As to how you fix your permissions, I fear this will have to be done manually, you will have to identify which folder or file belongs to which user/group. Samba does not create Unix IDs on Unix domain members, it either uses rfc2307 attributes stored in AD (if using the winbind 'ad' backend) or it calculates the ID from the AD objects SID Rowland
Rowland penny
2019-Nov-03 08:51 UTC
[Samba] [smbd] get_static_share_mode_data failed: NT_STATUS_NO_MEMORY
On 03/11/2019 04:16, ?????? via samba wrote:> Hi all. help please: > # systemctl status smbd.service > ... > Nov 03 06:53:09 server1.local.my smbd[4585]: [2019/11/03 > 06:53:09.857837,? 1] > ../../source3/locking/share_mode_lock.c:597(get_share_mode_lock) > Nov 03 06:53:09 server1.local.my smbd[4585]: get_share_mode_lock: > get_static_share_mode_data failed: NT_STATUS_NO_MEMORY > ... > > current version (but w older too) > # smbd -V > Version 4.11.2 > > client - macos, (time machine session). > where can i add this memory? > > testparm -sv | grep size > ??? ldap page size = 1000 > ??? max disk size = 0 > ??? max log size = 10000 > ??? max stat cache size = 0 > ??? min receivefile size = 0 > ??? aio read size = 1 > ??? aio write size = 1 > ??? allocation roundup size = 0 > ??? block size = 4096 > ??? directory name cache size = 100 > ??? write cache size = 2097152 >Hi, can you please open your own thread ? you appear to have replied to an existing thread. Can you also post your entire smb.conf as on disk Rowland
Am 03.11.2019 um 09:42 schrieb Rowland penny via samba <samba at lists.samba.org>:> > ?On 02/11/2019 23:18, Hilberg via samba wrote: >> Hi >> >> The server suddenly changed the uid + gid. this happened to times, yesterday and the week after. The default group at example >> The samba is a AD member where we have many users (>20 000) and we use autorid in that way >> [global] >> security = ads >> workgroup = CUSTOMER >> realm = CUSTOMER.COM >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum group = yes >> idmap config * : backend = autorid >> idmap config * : range = 1000000-8999999999 >> >> OS debian 10 >> DC Microsoft >> >> At the moment I have two questions: >> Why this happened and is there a way to stop the disaster? >> Is there a quick way to repair the disaster? I infects the profile directory used with acl. >> >> thank you >> > Please do not post things like this to the samba-technical list. > > As I said, you cannot use 'winbind use default domain = yes' with 'autorid', it makes all users and groups members of the same domain, this is probably what has happened here. > > Remove the line, this should stop it happening again > > If you have only one domain, then you shouldn't be using autorid, you should be using rid instead, unfortunately it is probably too late now.I have 4 trusted domains Builtin Hostname of Samba Servern Costumer costumerxy Custumer is the only primary> > As to how you fix your permissions, I fear this will have to be done manually, you will have to identify which folder or file belongs to which user/group. > > Samba does not create Unix IDs on Unix domain members, it either uses rfc2307 attributes stored in AD (if using the winbind 'ad' backend) or it calculates the ID from the AD objects SID > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sun, 2019-11-03 at 08:39 +0000, Rowland penny via samba wrote:> On 02/11/2019 23:18, Hilberg via samba wrote: > > Hi > > > > The server suddenly changed the uid + gid. this happened to times, > > yesterday and the week after. The default group at example > > The samba is a AD member where we have many users (>20 000) and we > > use > > autorid in that way > > [global] > > security = ads > > workgroup = CUSTOMER > > realm = CUSTOMER.COM > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum group = yes > > idmap config * : backend = autorid > > idmap config * : range = 1000000-8999999999 > > > > OS debian 10 > > DC Microsoft > > > > At the moment I have two questions: > > Why this happened and is there a way to stop the disaster? > > Is there a quick way to repair the disaster? I infects the profile > > directory used with acl. > > > > thank you > > > > Please do not post things like this to the samba-technical list. > > As I said, you cannot use 'winbind use default domain = yes' with > 'autorid', it makes all users and groups members of the same domain, > this is probably what has happened here.G'Day Rowland, Are you really sure that is the case? The "winbind use default domain" code, which I authored, certainly isn't intended to do that. It changes the formatting at the nss interface to strip the domain\ prefix, allowing local logins with pam etc to avoid typing the domain. Specifically, in source3/winbindd/winbindd_util.c:assume_domain() in It changes the domain member to act more like an old-style DC. The impact of this is deliberatly on fill_domain_username_talloc() and parse_domain_user(). (There are a few other references, essentially to mirror this in smbd).> Remove the line, this should stop it happening again > > If you have only one domain, then you shouldn't be using autorid, > you > should be using rid instead, unfortunately it is probably too late > now.We do need to work out why the RID base here isn't stable. The most likley reason is that the TDB it is stored in is being deleted for some reason, or less likly that is is somehow corrupt. The file is autorid.tdb in "state dir". Why shouldn't autorid be available on one domain?> As to how you fix your permissions, I fear this will have to be done > manually, you will have to identify which folder or file belongs to > which user/group.If we take the theory that the RID base is becoming randomised, then as long as the old RID base can be determined by inspection of the filesystem, then it might be possible to fix a RID base for idmap_rid. Looking at the code it would be "idmap config CUSTOMER : base_rid $BASE_RID" so so. The default range size is 100,000 so these should be contiguous RIDs.> Samba does not create Unix IDs on Unix domain members, it either > uses > rfc2307 attributes stored in AD (if using the winbind 'ad' backend) > or > it calculates the ID from the AD objects SID > > RowlandHilberg, This all sounds pretty stressful. I'm not sure if you saw Rowland's reply as he moved the CC to the samba@ list but you might be be subscribed there. I wish you all the best fixing this back up. Do consider reaching out for commercial support if this gets overwealming, but I think I've plotted a practical way forward. Once it is settled down, and if this is just a profile server where each directory is per-user then I would look into resetting the file ownerships from the unix side and then ACLs from the windows side just to be sure. There may be gremlins if new files were created while the wrong idmappings are in effect. Finally, do try to work out how the autorid.tdb was damaged. We certainly don't want this happening ever again! All the best, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Andrew Bartlett
2019-Nov-03 21:00 UTC
[Samba] [smbd] get_static_share_mode_data failed: NT_STATUS_NO_MEMORY
On Sun, 2019-11-03 at 07:16 +0300, ?????? via samba wrote:> Hi all. help please: > # systemctl status smbd.service > ... > Nov 03 06:53:09 server1.local.my smbd[4585]: [2019/11/03 > 06:53:09.857837, 1] > ../../source3/locking/share_mode_lock.c:597(get_share_mode_lock) > Nov 03 06:53:09 server1.local.my smbd[4585]: get_share_mode_lock: > get_static_share_mode_data failed: NT_STATUS_NO_MEMORY > ... > > current version (but w older too) > # smbd -V > Version 4.11.2 > > client - macos, (time machine session). > where can i add this memory?I don't think it is actually memory, but some more logs would help. If talloc actually fails then it would say "talloc failed" in fresh_share_mode_lock(). Can you check that for me? Assuming it doesn't say that, then the conditions for returning N_STATUS_NO_MEMORY from fresh_share_mode_lock() and so get_static_share_mode_data() are: if ((servicepath == NULL) || (smb_fname == NULL) || (old_write_time == NULL)) { return NULL; } None of these are memory related, confusingly. The full smb.conf Rowland asked for might help. Otherwise, if you are confident and if you have self-compiled this then if you can patch in a smb_panic() rather than the return NULL, and catch it under gdb when it panics, a 'bt full' will tell us which of these are the problem. Thanks! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On Sunday, 3 November 2019 01:41:18 PST Rowland penny via samba wrote:> As I said, you cannot use 'winbind use default domain = yes' with > 'autorid', it makes all users and groups members of the same domain, > this is probably what has happened here. > > Remove the line, this should stop it happening again > > If you have only one domain, then you shouldn't be using autorid, you > should be using rid instead, unfortunately it is probably too late now. >Is it OK to use autorid for * when you have rid configured for the domain of your primary user on a given machine? E.g., if there is a forest of, say, users.example.com, dom1.example.com, dom2.example.com, and the primary user of the machine is in users.example.com, is it OK to have config like this: idmap config * : backend = autorid idmap config * : range = <range> idmap config * : rangesize = <subrange> idmap config USERS : backend = rid idmap config USERS : range = <range> If yes, what about the same config for the case when USERS (users.example.com) is the only domain? My understanding is in a single domain situation this config shouldn't cause any issues with 'winbind use default domain = true', and in the multiple domains situation this would cause trouble authenticating users from domains other than USERS but should work OK for the primary domain, is that correct? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20191104/ee927459/signature.sig>