Jonathan Hunter
2015-Jun-05 10:41 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
>From my .bash_history on the schema master DC, effectively:# sed -e 's/${DOMAINDN}/dc=MYDOMAIN,dc=MY,dc=TLD/g' \ -e 's/${NETBIOSNAME}/MYDOMAIN/g' \ -e 's/${NISDOMAIN}/MYDOMAIN/g' \ /usr/local/samba/share/setup/ypServ30.ldif > ypServ30-JMH.ldif # service samba4 stop # ldbmodify -H /usr/local/samba/private/sam.ldb ypServ30-JMH.ldif --option="dsdb:schema update allowed"=true Modified 55 records successfully # service samba4 start On 5 June 2015 at 11:13, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 05/06/15 10:44, Jonathan Hunter wrote: >> >> Hi, > >> >> I have now added rfc2307 to my domain - I extended the schema, have >> added UIDs to some (not all yet) of my users and groups, and have my >> smb.conf with this currently: >> >> idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307 >> >> winbind use default domain = Yes winbind enum users = Yes winbind >> enum groups = Yes winbind refresh tickets = Yes winbind expand groups >> = 8 >> >> #idmap config *:range = 900000-999999 >> >> This works just fine on one of my DCs, but the other is proving more >> problematic. >> >> See below for more detail on the process, but the issue is that >> right now, I now have hundreds (thousands) of messages appearing in >> syslog along the lines of: Unable to convert SID (S-1-1-0) at index 5 >> in user token to a GID. Conversion was returned as type 0, full >> token: >> >> 'net cache list' confirms: Key: IDMAP/SID2XID/S-1-1-0 Timeout: >> 10:41:35 Value: -1:N >> >> I've uncommented the idmap line above, to no effect. >> >> The same config works just fine on the other DC. >> >> What can I check next? >> >> Thanks, >> >> Jonathan >> >> I can't explain the initial issues I had on this DC, either. After >> adding rfc2307, this DC simply wouldn't resolve the new UIDs I had >> added, despite running "net cache flush". Even when shutting samba >> down, then running "net cache flush", then starting samba back, I >> had a very weird time where running "id <user>" was just fine at >> first, returning the rfc2307-defined UID, but then running the same >> command a few seconds later, it had reverted back to 3000007! >> >> I finally used the following to restart - clearing out the idmap.ldb >> file - and this seemed to work better, but I still have the issue >> above: service samba4 stop;net cache flush;rm >> /usr/local/samba/private/idmap.ldb;service samba4 start >> > > Hi, what do you mean 'I extended the schema' ? > How did you extend the schema and with what ? > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Jonathan Hunter
2015-Jun-05 10:53 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
I've also realised, I have only put a few log messages in my original
message because I didn't want to send huge volumes of potentially
irrelevant traffic down the mailing list.. but I have just realised,
there may be something in there that could lead us in the right
direction, that I can't see.
So, some selected excerpts to give you a flavour:
Jun 5 11:48:48 myserver smbd[26655]: [2015/06/05 11:48:48.252345, 0]
../source4/auth/unix_token.c:107(security_token_to_unix_token)
Jun 5 11:48:48 myserver smbd[26655]: Unable to convert SID
(S-1-1-0) at index 5 in user token to a GID. Conversion was returned
as type 0, full token:
Jun 5 11:48:48 myserver smbd[26655]: [2015/06/05 11:48:48.252661, 0]
../libcli/security/security_token.c:63(security_token_debug)
Jun 5 11:48:48 myserver smbd[26655]: Security token SIDs (10):
Jun 5 11:48:48 myserver smbd[26655]: SID[ 0]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1138
Jun 5 11:48:48 myserver smbd[26655]: SID[ 1]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-513
Jun 5 11:48:48 myserver smbd[26655]: SID[ 2]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2613
Jun 5 11:48:48 myserver smbd[26655]: SID[ 3]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2615
Jun 5 11:48:48 myserver smbd[26655]: SID[ 4]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1168
Jun 5 11:48:48 myserver smbd[26655]: SID[ 5]: S-1-1-0
Jun 5 11:48:48 myserver smbd[26655]: SID[ 6]: S-1-5-2
Jun 5 11:48:48 myserver smbd[26655]: SID[ 7]: S-1-5-11
Jun 5 11:48:48 myserver smbd[26655]: SID[ 8]: S-1-5-32-545
Jun 5 11:48:48 myserver smbd[26655]: SID[ 9]: S-1-5-32-554
Jun 5 11:48:48 myserver smbd[26655]: Privileges (0x 800000):
Jun 5 11:48:48 myserver smbd[26655]: Privilege[ 0]:
SeChangeNotifyPrivilege
Jun 5 11:48:48 myserver smbd[26655]: Rights (0x 400):
Jun 5 11:48:48 myserver smbd[26655]: Right[ 0]:
SeRemoteInteractiveLogonRight
Jun 5 11:48:48 myserver smbd[26655]: [2015/06/05 11:48:48.279396, 0]
../source4/auth/unix_token.c:107(security_token_to_unix_token)
Jun 5 11:48:48 myserver smbd[26655]: Unable to convert SID
(S-1-1-0) at index 5 in user token to a GID. Conversion was returned
as type 0, full token:
Jun 5 11:48:48 myserver rsyslogd-2177: imuxsock begins to drop
messages from pid 26655 due to rate-limiting
and:
[root at myserver samba]# net cache list | grep 1:N
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-501
Timeout: 11:30:14 Value: -1:N (expired)
Key: IDMAP/SID2XID/S-1-5-2 Timeout: 11:52:14 Value: -1:N
Key: IDMAP/SID2XID/S-1-5-11 Timeout: 11:52:23 Value: -1:N
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1174
Timeout: 11:52:39 Value: -1:N
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1601
Timeout: 11:50:44 Value: -1:N (expired)
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-515
Timeout: 11:50:44 Value: -1:N (expired)
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512
Timeout: 11:52:39 Value: -1:N
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-514
Timeout: 11:30:14 Value: -1:N (expired)
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-572
Timeout: 11:52:39 Value: -1:N
Key: IDMAP/SID2XID/S-1-1-0 Timeout: 11:52:14 Value: -1:N
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
Rowland Penny
2015-Jun-05 11:14 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
On 05/06/15 11:41, Jonathan Hunter wrote:> From my .bash_history on the schema master DC, effectively: > > # sed -e 's/${DOMAINDN}/dc=MYDOMAIN,dc=MY,dc=TLD/g' \ > -e 's/${NETBIOSNAME}/MYDOMAIN/g' \ > -e 's/${NISDOMAIN}/MYDOMAIN/g' \ > /usr/local/samba/share/setup/ypServ30.ldif > ypServ30-JMH.ldif > # service samba4 stop > # ldbmodify -H /usr/local/samba/private/sam.ldb ypServ30-JMH.ldif > --option="dsdb:schema update allowed"=true > Modified 55 records successfully > # service samba4 start > > On 5 June 2015 at 11:13, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 05/06/15 10:44, Jonathan Hunter wrote: >>> Hi, >>> I have now added rfc2307 to my domain - I extended the schema, have >>> added UIDs to some (not all yet) of my users and groups, and have my >>> smb.conf with this currently: >>> >>> idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307 >>> >>> winbind use default domain = Yes winbind enum users = Yes winbind >>> enum groups = Yes winbind refresh tickets = Yes winbind expand groups >>> = 8 >>> >>> #idmap config *:range = 900000-999999 >>> >>> This works just fine on one of my DCs, but the other is proving more >>> problematic. >>> >>> See below for more detail on the process, but the issue is that >>> right now, I now have hundreds (thousands) of messages appearing in >>> syslog along the lines of: Unable to convert SID (S-1-1-0) at index 5 >>> in user token to a GID. Conversion was returned as type 0, full >>> token: >>> >>> 'net cache list' confirms: Key: IDMAP/SID2XID/S-1-1-0 Timeout: >>> 10:41:35 Value: -1:N >>> >>> I've uncommented the idmap line above, to no effect. >>> >>> The same config works just fine on the other DC. >>> >>> What can I check next? >>> >>> Thanks, >>> >>> Jonathan >>> >>> I can't explain the initial issues I had on this DC, either. After >>> adding rfc2307, this DC simply wouldn't resolve the new UIDs I had >>> added, despite running "net cache flush". Even when shutting samba >>> down, then running "net cache flush", then starting samba back, I >>> had a very weird time where running "id <user>" was just fine at >>> first, returning the rfc2307-defined UID, but then running the same >>> command a few seconds later, it had reverted back to 3000007! >>> >>> I finally used the following to restart - clearing out the idmap.ldb >>> file - and this seemed to work better, but I still have the issue >>> above: service samba4 stop;net cache flush;rm >>> /usr/local/samba/private/idmap.ldb;service samba4 start >>> >> Hi, what do you mean 'I extended the schema' ? >> How did you extend the schema and with what ? >> >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >So I take it that when you provisioned the domain, you didn't use '--use-rfc2307' OK, you now have the same result, so it should work as if you had used '--use-rfc2307' You have two problems here, well one possible and one definite, first you have turned off the dns server built into the samba AD DC, this is a problem unless you are also running bind9. The main problem is thinking that you set up an AD DC the same way as a Member Server, you cannot, all the winbind lines you added are doing nothing. You are also mixing up how an AD DC and a Member Server work, the DC uses idmap.ldb to store the mappings and a Member Server uses .tdb files If you give your users and groups a uidNumber or a gidNumber These should be used on the DC instead of the xidNumber stored in idmap.ldb. Rowland
Jonathan Hunter
2015-Jun-05 11:57 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
Hi Rowland, On 5 June 2015 at 12:14, Rowland Penny <rowlandpenny at googlemail.com> wrote:> So I take it that when you provisioned the domain, you didn't use > '--use-rfc2307'Correct> OK, you now have the same result, so it should work as if you had used > '--use-rfc2307'Yup - and indeed it works on the second DC.> You have two problems here, well one possible and one definite, first you > have turned off the dns server built into the samba AD DC, this is a problem > unless you are also running bind9.Sorry yes, I am also running BIND9, this works fine for purposes of this email thread (plenty of other issues I could talk about, but not here & now! :) )> The main problem is thinking that you set up an AD DC the same way as a > Member Server, you cannot, all the winbind lines you added are doing > nothing.Thank you - I think this was the key to my confusion. I had forgotten this, which was of course the whole reason I am embarking on this sorry story in the first place :)> You are also mixing up how an AD DC and a Member Server work, the DC uses > idmap.ldb to store the mappings and a Member Server uses .tdb filesThank you - again useful info and I didn't know this beforehand. (I will try and add these to the wiki somewhere obvious, if I can!)> If you give your users and groups a uidNumber or a gidNumber These should be > used on the DC instead of the xidNumber stored in idmap.ldb.And this is I think the key. On the DC that is working, I am still using sssd as per previous discussions, and *that* is why it works fine. (I have set 'ldap_id_mapping = False' on that machine, now I have added rfc2307) On the DC that is not working, for some reason sssd won't play ball if I set the above configuration line - I have no idea why, there are a few hits on google for that error message - and because this wasn't working and I couldn't resolve that immediately, I thought it would be a good idea to use winbind instead.. which of course doesn't work on a DC. I'll try and reproduce the sssd/nsswitch.conf config from 'good DC' to 'bad DC' and see how I get on, and will remove the winbind/idmap lines, as you say they aren't doing anything. Will update shortly.. :) Thanks J -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein