samba - Jun 2015 - idmap & migration to rfc2307

I *think* I may have encountered a bug, or a feature, in the idmap/winbind area.

I have recently added rfc2307 attributes to my AD, and am in the
process of switching over. This means that I still have
(unintentionally) some files/directories/etc. around with old UIDs
e.g. 3000007, rather than my rfc2307 specified UIDs.

What I am seeing is that the SID2XID mapping is initially correct for
a given user (i.e. resolves to the rfc2307 UID I have set in AD), but
at some point in the future, without any apparent trigger, the SID2XID
mapping *changes* and turns into the old UID e.g. 3000007.

I am using winbind in /etc/nsswitch.conf; I think that what might be
happening is whenever an old UID is encountered (be it a running
process, a file or whatever), this overwrites the rfc2307 mapping I am
trying to switch to.

Thinking about what behaviour I'd expect, I would say that if
'idmap_ldb:use rfc2307 = yes' is enabled in smb.conf, then any such
old UID mappings should not overwrite a rfc2307-derived mapping.

Here is how I arrived at the above conclusion:

Reset idmap cache (and also copy from known working DC, for good measure):
[root at dc1 ~]# service samba4 stop; \
net cache flush; \
rm /usr/local/samba/private/idmap.ldb; \
scp root at dc2:/usr/local/samba/private/idmap.ldb /usr/local/samba/private/; \
service samba4 start

This results in a working configuration with the UID I'd expect:
[root at dc1 ~]# id auser
uid=41000(auser) gid=61000(domain users) groups=.....
[root at dc1 ~]# net cache list | grep -e 1234
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Timeout: Thu Jun 18 11:02:33 2015 Value: 41000:U
Key: IDMAP/UID2SID/41000 Timeout: Thu Jun 18 11:02:33 2015 Value:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234

However, some time later, without any input from me at all, this changes to:
[root at dc1 ~]# id auser
uid=3000007(auser) gid=61000(domain users) groups=.....
[root at dc1 ~]# net cache list | grep -e 1104
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Timeout: Thu Jun 18 11:10:05 2015 Value: 3000007:B
Key: IDMAP/GID2SID/3000007 Timeout: Thu Jun 18 11:10:05 2015 Value:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Key: IDMAP/UID2SID/41000 Timeout: Thu Jun 18 11:02:33 2015 Value:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Key: IDMAP/UID2SID/3000007 Timeout: Thu Jun 18 11:10:05 2015 Value:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234

I *think* this is happening because there is a process (e.g.
ssh-agent) still running as uid=3000007, or a file on disk, etc. etc.
that winbind reads and then overwrites in the database.

Thoughts?

Global section of smb.conf is as follows:
[global]
        log level = 0
        workgroup = MYDOMAIN
        realm = mydomain.my.tld
        netbios name = DC1
        server role = active directory domain controller
        interfaces = eth0 lo
        bind interfaces only = yes
        # using BIND for DNS
        server services = -dns
        dsdb:schema update allowed = true
        idmap_ldb:use rfc2307 = yes
        # I believe the following winbind lines have no effect on a
DC, but they're here anyway..
        winbind nss info = rfc2307
        winbind use default domain = Yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind refresh tickets = Yes
        # yes I know 8 is 'bad' but it's here at the moment (and I
don't have any 8-deep groups)
        winbind expand groups = 8
        template shell = /bin/bash
        log file = /usr/local/samba/var/log.%I
        include = /usr/local/samba/etc/smb.conf-%I
        load printers = yes

J

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

Replying to my own post - I can reset the mappings by "net cache
flush", and this then persists for a while, but ultimately it ends up
being overwritten somehow.

I'm no longer sure if this is related to files owned by the old UID -
because I've since tried to chown all of these, and this is still
happening - but I guess I may have missed some, perhaps.

On 11 June 2015 at 12:40, Jonathan Hunter <jmhunter1 at gmail.com>
wrote:
> I *think* I may have encountered a bug, or a feature, in the idmap/winbind
area.
>
> I have recently added rfc2307 attributes to my AD, and am in the
> process of switching over. This means that I still have
> (unintentionally) some files/directories/etc. around with old UIDs
> e.g. 3000007, rather than my rfc2307 specified UIDs.
>
> What I am seeing is that the SID2XID mapping is initially correct for
> a given user (i.e. resolves to the rfc2307 UID I have set in AD), but
> at some point in the future, without any apparent trigger, the SID2XID
> mapping *changes* and turns into the old UID e.g. 3000007.
>
> I am using winbind in /etc/nsswitch.conf; I think that what might be
> happening is whenever an old UID is encountered (be it a running
> process, a file or whatever), this overwrites the rfc2307 mapping I am
> trying to switch to.
>
> Thinking about what behaviour I'd expect, I would say that if
> 'idmap_ldb:use rfc2307 = yes' is enabled in smb.conf, then any such
> old UID mappings should not overwrite a rfc2307-derived mapping.
>
> Here is how I arrived at the above conclusion:
>
> Reset idmap cache (and also copy from known working DC, for good measure):
> [root at dc1 ~]# service samba4 stop; \
> net cache flush; \
> rm /usr/local/samba/private/idmap.ldb; \
> scp root at dc2:/usr/local/samba/private/idmap.ldb
/usr/local/samba/private/; \
> service samba4 start
>
> This results in a working configuration with the UID I'd expect:
> [root at dc1 ~]# id auser
> uid=41000(auser) gid=61000(domain users) groups=.....
> [root at dc1 ~]# net cache list | grep -e 1234
> Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
> Timeout: Thu Jun 18 11:02:33 2015 Value: 41000:U
> Key: IDMAP/UID2SID/41000 Timeout: Thu Jun 18 11:02:33 2015 Value:
> S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
>
> However, some time later, without any input from me at all, this changes
to:
> [root at dc1 ~]# id auser
> uid=3000007(auser) gid=61000(domain users) groups=.....
> [root at dc1 ~]# net cache list | grep -e 1104
> Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
> Timeout: Thu Jun 18 11:10:05 2015 Value: 3000007:B
> Key: IDMAP/GID2SID/3000007 Timeout: Thu Jun 18 11:10:05 2015 Value:
> S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
> Key: IDMAP/UID2SID/41000 Timeout: Thu Jun 18 11:02:33 2015 Value:
> S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
> Key: IDMAP/UID2SID/3000007 Timeout: Thu Jun 18 11:10:05 2015 Value:
> S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
>
> I *think* this is happening because there is a process (e.g.
> ssh-agent) still running as uid=3000007, or a file on disk, etc. etc.
> that winbind reads and then overwrites in the database.
-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

(to clarify, in case people are skimming this thread and think it is
fixed..) The problem still occurs - id mappings are still being
overwritten.. :(