Kees van Vloten
2023-Sep-04 20:50 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On 04-09-2023 22:26, Rowland Penny via samba wrote:> On Mon, 4 Sep 2023 22:09:35 +0200 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Hi Team, >> >> >> I am setting up a new AD-domain, the first DC is just operational and >> some users and groups are created. >> >> This run on Debian 11, Samba 4.18.6 and it is set up with the same >> (but evolved) Ansible code I used for my other domains (all of them >> on different networks and independent of each other). The older >> domains were initially set up with Samba 4.14 and another with 4.15 >> and upgraded many times since, the new setup with 4.18.6. In all >> places gets installed from the same debian packages. >> >> Due to the repeatable Ansible setup the /etc/samba/smb.conf is >> exactly the same (apart from the domain name etc.) on the existing >> domains and the new domain. And all domains were provisioned with >> '--use-rfc2307'. >> >> 'samba-tool processes | wc -l' is equal between old and new: 24 >> lines. And ps aux | grep winbindd also shows an equal number of >> winbind processes. >> >> '/etc/nsswitch.conf' is also equal and includes winbind for passwd >> and group. >> >> >> Now the mystery starts: there is a difference in id (uid/gid) lookups >> on a DC between the older domains and the new domain. >> >> It looks like the new domain is not querying >> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas >> the older once are. >> >> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins' >> >> On the old domain(s) this results (as expected) in: >> >> OLDDOM\domain admins:*:3000004:3000004::/home/domain admins:/bin/bash >> >> But on the new domain the lookup has no result. >> >> The winbind logging is equally different, on the old domain (success): >> >> [2023/09/04 20:55:56.243929,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (2502996)]: request >> interface version (version = 32) >> [2023/09/04 20:55:56.243999,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (2502996)] Handling async >> request: GETPWNAM >> [2023/09/04 20:55:56.244007,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) >> ? [nss_winbind (2502996)] Winbind external command GETPWNAM start. >> ? Query username 'OLDDOM\domain admins'. >> [2023/09/04 20:55:56.244312,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv) >> ? Winbind external command GETPWNAM end. >> ? (name:passwd:uid:gid:gecos:dir:shell) >> ? OLDDOM\domain admins:*:3000004:3000004::/home/domain >> admins:/bin/bash [2023/09/04 20:55:56.244322,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(2502996):GETPWNAM]: NT_STATUS_OK >> [2023/09/04 20:55:57.091601,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (2502997)]: request >> interface version (version = 32) >> [2023/09/04 20:55:57.091800,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (2502997)] Handling async >> request: GETGROUPS >> [2023/09/04 20:55:57.091817,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send) >> ? [nss_winbind (2502997)] Winbind external command GETGROUPS start. >> ? Searching groups for username 'root'. >> [2023/09/04 20:55:57.093936,? 3] >> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached) >> ? : lookup_usergroups_cached >> [2023/09/04 20:55:57.106212,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv) >> ? Winbind external command GETGROUPS end. >> ? Received 2 entries. >> [2023/09/04 20:55:57.106337,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) >> ? 0: GID 10000 >> [2023/09/04 20:55:57.106344,? 3] >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) >> ? 1: GID 10019 >> [2023/09/04 20:55:57.106350,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(2502997):GETGROUPS]: >> NT_STATUS_OK >> >> On the new domain (no result): >> >> [2023/09/04 20:54:18.579629,? 3] >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) >> ? winbindd_interface_version: [nss_winbind (43590)]: request >> interface version (version = 32) >> [2023/09/04 20:54:18.579686,? 3] >> ../../source3/winbindd/winbindd.c:497(process_request_send) >> ? process_request_send: [nss_winbind (43590)] Handling async >> request: GETPWNAM >> [2023/09/04 20:54:18.579701,? 3] >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) >> ? [nss_winbind (43590)] Winbind external command GETPWNAM start. >> ? Query username 'NEWDOM\domain admins'. >> [2023/09/04 20:54:18.582975,? 1] >> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid) >> ? XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH. >> [2023/09/04 20:54:18.582990,? 1] >> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv) >> ? Could not convert sid S-1-5-21-435088123-233829246-2133031062-512: >> NT_STATUS_NO_SUCH_USER >> [2023/09/04 20:54:18.582995,? 3] >> ../../source3/winbindd/winbindd.c:564(process_request_done) >> ? process_request_done: [nss_winbind(43590):GETPWNAM]: >> NT_STATUS_NO_SUCH_USER >> >> Another indication that /var/lib/samba/private/idmap.ldb is not used >> comes from the group lookup of domain admins: >> >> getent group '<DOMAIN-NAME>\domain admins' >> >> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the xidNumber >> in idmap.ldb) >> >> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber in >> the ldap record of the group) >> >> >> Would could cause this different behaviour (on these 2 very similar >> environments)? > You giving Domain Admins a gidNumber attribute, which by the way has > just broken sysvol. > > Rowland > >ok, it was worth testing your hypothesis: # destroy domain: dpkg -l | grep 4.18.6 | awk '{print $2}' | xargs apt-get -y purge # everything including /var/lib/samba is removed # rerun ansible playbook for samba_dc_install getent group 'domain admins' # no result So no more gidNumber from the ldap group record, but nothing from idmap.ldb either :-( - Kees.
Rowland Penny
2023-Sep-04 21:04 UTC
[Samba] New (4.18 provisioned) domain is missing id lookups from idmap.ldb
On Mon, 4 Sep 2023 22:50:56 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > On 04-09-2023 22:26, Rowland Penny via samba wrote: > > On Mon, 4 Sep 2023 22:09:35 +0200 > > Kees van Vloten via samba <samba at lists.samba.org> wrote: > > > >> Hi Team, > >> > >> > >> I am setting up a new AD-domain, the first DC is just operational > >> and some users and groups are created. > >> > >> This run on Debian 11, Samba 4.18.6 and it is set up with the same > >> (but evolved) Ansible code I used for my other domains (all of them > >> on different networks and independent of each other). The older > >> domains were initially set up with Samba 4.14 and another with 4.15 > >> and upgraded many times since, the new setup with 4.18.6. In all > >> places gets installed from the same debian packages. > >> > >> Due to the repeatable Ansible setup the /etc/samba/smb.conf is > >> exactly the same (apart from the domain name etc.) on the existing > >> domains and the new domain. And all domains were provisioned with > >> '--use-rfc2307'. > >> > >> 'samba-tool processes | wc -l' is equal between old and new: 24 > >> lines. And ps aux | grep winbindd also shows an equal number of > >> winbind processes. > >> > >> '/etc/nsswitch.conf' is also equal and includes winbind for passwd > >> and group. > >> > >> > >> Now the mystery starts: there is a difference in id (uid/gid) > >> lookups on a DC between the older domains and the new domain. > >> > >> It looks like the new domain is not querying > >> /var/lib/samba/private/idmap.ldb (but is does exist there), whereas > >> the older once are. > >> > >> As an example I tried: getent passwd '<DOMAIN-NAME>\domain admins' > >> > >> On the old domain(s) this results (as expected) in: > >> > >> OLDDOM\domain admins:*:3000004:3000004::/home/domain > >> admins:/bin/bash > >> > >> But on the new domain the lookup has no result. > >> > >> The winbind logging is equally different, on the old domain > >> (success): > >> > >> [2023/09/04 20:55:56.243929,? 3] > >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > >> ? winbindd_interface_version: [nss_winbind (2502996)]: request > >> interface version (version = 32) > >> [2023/09/04 20:55:56.243999,? 3] > >> ../../source3/winbindd/winbindd.c:497(process_request_send) > >> ? process_request_send: [nss_winbind (2502996)] Handling async > >> request: GETPWNAM > >> [2023/09/04 20:55:56.244007,? 3] > >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) > >> ? [nss_winbind (2502996)] Winbind external command GETPWNAM > >> start. Query username 'OLDDOM\domain admins'. > >> [2023/09/04 20:55:56.244312,? 3] > >> ../../source3/winbindd/winbindd_getpwnam.c:149(winbindd_getpwnam_recv) > >> ? Winbind external command GETPWNAM end. > >> ? (name:passwd:uid:gid:gecos:dir:shell) > >> ? OLDDOM\domain admins:*:3000004:3000004::/home/domain > >> admins:/bin/bash [2023/09/04 20:55:56.244322,? 3] > >> ../../source3/winbindd/winbindd.c:564(process_request_done) > >> ? process_request_done: [nss_winbind(2502996):GETPWNAM]: > >> NT_STATUS_OK [2023/09/04 20:55:57.091601,? 3] > >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > >> ? winbindd_interface_version: [nss_winbind (2502997)]: request > >> interface version (version = 32) > >> [2023/09/04 20:55:57.091800,? 3] > >> ../../source3/winbindd/winbindd.c:497(process_request_send) > >> ? process_request_send: [nss_winbind (2502997)] Handling async > >> request: GETGROUPS > >> [2023/09/04 20:55:57.091817,? 3] > >> ../../source3/winbindd/winbindd_getgroups.c:63(winbindd_getgroups_send) > >> ? [nss_winbind (2502997)] Winbind external command GETGROUPS > >> start. Searching groups for username 'root'. > >> [2023/09/04 20:55:57.093936,? 3] > >> ../../source3/winbindd/winbindd_util.c:1736(lookup_usergroups_cached) > >> ? : lookup_usergroups_cached > >> [2023/09/04 20:55:57.106212,? 3] > >> ../../source3/winbindd/winbindd_getgroups.c:267(winbindd_getgroups_recv) > >> ? Winbind external command GETGROUPS end. > >> ? Received 2 entries. > >> [2023/09/04 20:55:57.106337,? 3] > >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) > >> ? 0: GID 10000 > >> [2023/09/04 20:55:57.106344,? 3] > >> ../../source3/winbindd/winbindd_getgroups.c:272(winbindd_getgroups_recv) > >> ? 1: GID 10019 > >> [2023/09/04 20:55:57.106350,? 3] > >> ../../source3/winbindd/winbindd.c:564(process_request_done) > >> ? process_request_done: [nss_winbind(2502997):GETGROUPS]: > >> NT_STATUS_OK > >> > >> On the new domain (no result): > >> > >> [2023/09/04 20:54:18.579629,? 3] > >> ../../source3/winbindd/winbindd_misc.c:355(winbindd_interface_version) > >> ? winbindd_interface_version: [nss_winbind (43590)]: request > >> interface version (version = 32) > >> [2023/09/04 20:54:18.579686,? 3] > >> ../../source3/winbindd/winbindd.c:497(process_request_send) > >> ? process_request_send: [nss_winbind (43590)] Handling async > >> request: GETPWNAM > >> [2023/09/04 20:54:18.579701,? 3] > >> ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) > >> ? [nss_winbind (43590)] Winbind external command GETPWNAM start. > >> ? Query username 'NEWDOM\domain admins'. > >> [2023/09/04 20:54:18.582975,? 1] > >> ../../source3/winbindd/wb_queryuser.c:128(wb_queryuser_got_uid) > >> ? XID type is 2, should be ID_TYPE_UID or ID_TYPE_BOTH. > >> [2023/09/04 20:54:18.582990,? 1] > >> ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv) > >> ? Could not convert sid > >> S-1-5-21-435088123-233829246-2133031062-512: NT_STATUS_NO_SUCH_USER > >> [2023/09/04 20:54:18.582995,? 3] > >> ../../source3/winbindd/winbindd.c:564(process_request_done) > >> ? process_request_done: [nss_winbind(43590):GETPWNAM]: > >> NT_STATUS_NO_SUCH_USER > >> > >> Another indication that /var/lib/samba/private/idmap.ldb is not > >> used comes from the group lookup of domain admins: > >> > >> getent group '<DOMAIN-NAME>\domain admins' > >> > >> Old domain: OLDDOM\domain admins:x:3000004: (3000004 is the > >> xidNumber in idmap.ldb) > >> > >> New domain: NEWDOM\domain admins:x:10001: (10001 is the gidNumber > >> in the ldap record of the group) > >> > >> > >> Would could cause this different behaviour (on these 2 very similar > >> environments)? > > You giving Domain Admins a gidNumber attribute, which by the way has > > just broken sysvol. > > > > Rowland > > > > > ok, it was worth testing your hypothesis: > > # destroy domain: > dpkg -l | grep 4.18.6 | awk '{print $2}' | xargs apt-get -y purge > # everything including /var/lib/samba is removed > > # rerun ansible playbook for samba_dc_install > > getent group 'domain admins' > # no result > > So no more gidNumber from the ldap group record, but nothing from > idmap.ldb either :-( > > - Kees. > > >It has worked for over 10 years, so if it has stopped working, why? These are probably stupid questions, but are libpam-winbind and libnss-winbind installed ? Also is /etc/nsswitch.conf set up correctly? Rowland