Edson Tadeu Almeida da Silveira
2016-Oct-06 11:42 UTC
[Samba] winbindd losing track of RFC2307 UIDs
This is what there is in winbindd_idmap.tdb of both members that i have,
whewre file server 2 is working well and file server 1 lose winbind rfc
track.
#
# FILE SERVER 1 - PROBLEM
#
# tdbdump winbindd_idmap.tdb
{
key(9) = "USER HWM\00"
data(4) = "\D0\07\00\00"
}
{
key(10) = "GROUP HWM\00"
data(4) = "\D0\07\00\00"
}
{
key(14) = "IDMAP_VERSION\00"
data(4) = "\02\00\00\00"
}
#
# FILE SERVER 2 - OK
#
# tdbdump winbindd_idmap.tdb
{
key(9) = "GID 2002\00"
data(9) = "S-1-5-11\00"
}
{
key(9) = "S-1-5-11\00"
data(9) = "GID 2002\00"
}
{
key(9) = "USER HWM\00"
data(4) = "\D0\07\00\00"
}
{
key(9) = "GID 2000\00"
data(8) = "S-1-1-0\00"
}
{
key(8) = "S-1-1-0\00"
data(9) = "GID 2000\00"
}
{
key(8) = "S-1-5-2\00"
data(9) = "GID 2001\00"
}
{
key(10) = "GROUP HWM\00"
data(4) = "\D3\07\00\00"
}
{
key(9) = "GID 2001\00"
data(8) = "S-1-5-2\00"
}
{
key(14) = "IDMAP_VERSION\00"
data(4) = "\02\00\00\00"
}
2016-10-05 18:44 GMT-03:00 Achim Gottinger via samba <samba at
lists.samba.org>
:
>
>
> Am 05.10.2016 um 22:31 schrieb Achim Gottinger via samba:
>
>>
>>
>> Am 05.10.2016 um 22:12 schrieb Rob via samba:
>>
>>> On Tue, 4 Oct 2016, Rowland Penny wrote:
>>>
>>> This is very strange, have you tried running 'net cache
flush' on the
>>>> domain member ?
>>>>
>>>> Have you compared the users AD objects ?
>>>>
>>>
>>> Running 'net cache flush' on the member does fix things,
albeit only for
>>> a while:
>>>
>>> # wbinfo -i auser
>>> auser:*:2020:10000:User Name:/home/auser:/bin/bash
>>> # net cache flush
>>> # wbinfo -i auser
>>> auser:*:10028:10000:User Name:/home/auser:/bin/bash
>>> [...wait a few hours...]
>>> # wbinfo -i auser
>>> auser:*:2020:10000:User Name:/home/auser:/bin/bash
>>>
>>> Using ldbsearch on sam.ldb on the DC, I compared the attributes of
>>> problematic users and normal users... I couldn't find anything
obvious
>>> distinguishing them.
>>>
>>> Also, on the member:
>>>
>>> # net idmap dump
>>> dumping id mapping from
/usr/local/samba/var/locks/winbindd_idmap.tdb
>>> [...]
>>> UID 2020 S-1-5-21-2701825980-1665447529-2160704981-1177
>>>
>>> (where S-*-1177 is the SID for auser)
>>>
>>> But I'd think winbindd would prefer the mapping in AD, given
smb.conf
>>> having our domain listed explicitly and 2xxx only as a
default/fallback. Or
>>> maybe I misunderstand how the idmaps work... does the order in
smb.conf
>>> matter at all?
>>>
>>> _Rob
>>>
>>>
>>> Hi Rob,
>>
>> You can try to use tdbtool to delete the offending key with uid 2020.
>> https://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html
>> I'd stop samba make an backup of winbind_idmap.tdb and give it a
try.
>> In my case deleting the mappings from idamp.tdb fixed the issue of
>> changing uid's.
>>
>> achim~
>>
>>
>> Did the uid change from 2018 to 2020 or is this an different user or
> member server? If it changed editing winbindd_idmap.tdb might not fix your
> problem.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
On Thu, 6 Oct 2016 08:42:41 -0300 Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org> wrote:> This is what there is in winbindd_idmap.tdb of both members that i > have, whewre file server 2 is working well and file server 1 lose > winbind rfc track. > > # > # FILE SERVER 1 - PROBLEM > # > # tdbdump winbindd_idmap.tdb > { > key(9) = "USER HWM\00" > data(4) = "\D0\07\00\00" > } > { > key(10) = "GROUP HWM\00" > data(4) = "\D0\07\00\00" > } > { > key(14) = "IDMAP_VERSION\00" > data(4) = "\02\00\00\00" > } > > > > # > # FILE SERVER 2 - OK > # > # tdbdump winbindd_idmap.tdb > { > key(9) = "GID 2002\00" > data(9) = "S-1-5-11\00" > } > { > key(9) = "S-1-5-11\00" > data(9) = "GID 2002\00" > } > { > key(9) = "USER HWM\00" > data(4) = "\D0\07\00\00" > } > { > key(9) = "GID 2000\00" > data(8) = "S-1-1-0\00" > } > { > key(8) = "S-1-1-0\00" > data(9) = "GID 2000\00" > } > { > key(8) = "S-1-5-2\00" > data(9) = "GID 2001\00" > } > { > key(10) = "GROUP HWM\00" > data(4) = "\D3\07\00\00" > } > { > key(9) = "GID 2001\00" > data(8) = "S-1-5-2\00" > } > { > key(14) = "IDMAP_VERSION\00" > data(4) = "\02\00\00\00" > } >There doesn't seem to be anything wrong there, can you post the smb.conf from the domain member. Rowland
Edson Tadeu Almeida da Silveira
2016-Oct-06 12:09 UTC
[Samba] winbindd losing track of RFC2307 UIDs
Same smb.conf in both members, only change netbios name.
[global]
netbios name = FS1
realm = DOMAIN.LOCAL
workgroup = DOMAIN
security = ads
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-99999
#+
username map = /var/lib/samba/user.map
#+
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind refresh tickets = Yes
winbind normalize names = Yes
#+
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
#+
domain master = no
local master = no
preferred master = no
#+
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
#+
log level = 2 vfs:7 auth:2 passdb:2
#+
vfs objects = full_audit
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
full_audit:prefix = %u|%I|%m|%S
full_audit:success = pread pwrite rename rmdir mkdir unlink chown
full_audit:failure = none
#+
veto files
/*.lnk/*.bkf/*.pif/*.avi/*.vob/*.qic/*.pak/*.srt/*.vmx/autorun.inf/RECYCLER/*.cmd/*.{*}/
#+
[public]
path = /dados/public
read only = No
2016-10-06 9:03 GMT-03:00 Rowland Penny <rpenny at samba.org>:
> On Thu, 6 Oct 2016 08:42:41 -0300
> Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org>
wrote:
>
> > This is what there is in winbindd_idmap.tdb of both members that i
> > have, whewre file server 2 is working well and file server 1 lose
> > winbind rfc track.
> >
> > #
> > # FILE SERVER 1 - PROBLEM
> > #
> > # tdbdump winbindd_idmap.tdb
> > {
> > key(9) = "USER HWM\00"
> > data(4) = "\D0\07\00\00"
> > }
> > {
> > key(10) = "GROUP HWM\00"
> > data(4) = "\D0\07\00\00"
> > }
> > {
> > key(14) = "IDMAP_VERSION\00"
> > data(4) = "\02\00\00\00"
> > }
> >
> >
> >
> > #
> > # FILE SERVER 2 - OK
> > #
> > # tdbdump winbindd_idmap.tdb
> > {
> > key(9) = "GID 2002\00"
> > data(9) = "S-1-5-11\00"
> > }
> > {
> > key(9) = "S-1-5-11\00"
> > data(9) = "GID 2002\00"
> > }
> > {
> > key(9) = "USER HWM\00"
> > data(4) = "\D0\07\00\00"
> > }
> > {
> > key(9) = "GID 2000\00"
> > data(8) = "S-1-1-0\00"
> > }
> > {
> > key(8) = "S-1-1-0\00"
> > data(9) = "GID 2000\00"
> > }
> > {
> > key(8) = "S-1-5-2\00"
> > data(9) = "GID 2001\00"
> > }
> > {
> > key(10) = "GROUP HWM\00"
> > data(4) = "\D3\07\00\00"
> > }
> > {
> > key(9) = "GID 2001\00"
> > data(8) = "S-1-5-2\00"
> > }
> > {
> > key(14) = "IDMAP_VERSION\00"
> > data(4) = "\02\00\00\00"
> > }
> >
>
> There doesn't seem to be anything wrong there, can you post the
> smb.conf from the domain member.
>
> Rowland
>
--
-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
Edson Tadeu Almeida da Silveira
2016-Oct-06 12:36 UTC
[Samba] winbindd losing track of RFC2307 UIDs
Besides this change on vfs objects, i delete winbindd_idmap.tdb and
restarted winbind.
Change smb.conf:
vfs objects = acl_xattr full_audit
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
full_audit:prefix = %u|%I|%m|%S
full_audit:success = pread pwrite rename rmdir mkdir unlink chown
full_audit:failure = none
Here are my configurations:
# /etc/resolv.conf
nameserver 10.40.11.7 (AD1)
nameserver 10.40.11.9 (AD2)
search domain.local
# /etc/hosts
127.0.0.1 localhost
10.40.11.12 fs1.domain.local fs1
# /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
# cat /etc/hostname
fs1
2016-10-06 9:24 GMT-03:00 Rowland Penny <rpenny at samba.org>:
> On Thu, 6 Oct 2016 09:09:57 -0300
> Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:
>
> > Same smb.conf in both members, only change netbios name.
> >
> >
> > [global]
> > netbios name = FS1
> > realm = DOMAIN.LOCAL
> > workgroup = DOMAIN
> > security = ads
> > idmap config * : backend = tdb
> > idmap config * : range = 2000-9999
> > idmap config DOMAIN : backend = rid
> > idmap config DOMAIN : range = 10000-99999
> > #+
> > username map = /var/lib/samba/user.map
> > #+
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > winbind expand groups = 4
> > winbind refresh tickets = Yes
> > winbind normalize names = Yes
> > #+
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > #+
> > domain master = no
> > local master = no
> > preferred master = no
> > #+
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> > #+
> > log level = 2 vfs:7 auth:2 passdb:2
> > #+
> > vfs objects = full_audit
> > full_audit:facility = LOCAL7
> > full_audit:priority = NOTICE
> > full_audit:prefix = %u|%I|%m|%S
> > full_audit:success = pread pwrite rename rmdir mkdir unlink
> > chown full_audit:failure = none
> > #+
> > veto files > >
/*.lnk/*.bkf/*.pif/*.avi/*.vob/*.qic/*.pak/*.srt/*.vmx/
> autorun.inf/RECYCLER/*.cmd/*.{*}/
> > #+
> >
> > [public]
> > path = /dados/public
> > read only = No
> >
>
> OK, there is only one problem there, you have 'vfs objects >
acl_xattr', followed by 'vfs objects = full_audit'. The second turns
> off the first, you should have 'vfs objects = acl_xattr full_audit'
>
> fix this and then if it doesn't fix your problem,
> post /etc/resolv.conf, /etc/hosts, /etc/krb5.conf, /etc/hostname
>
> Rowland
>
--
-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
Edson Tadeu Almeida da Silveira
2016-Oct-07 10:18 UTC
[Samba] winbindd losing track of RFC2307 UIDs
Rowland, now two members are working great. Past 24 hours and they didnĀ“t lost uid/gid. root at fs1:/var/lib/samba# wbinfo -i edsontadeu edsontadeu:*:11106:10513::/home/DOMAIN/edsontadeu:/bin/false root at fs2:/var/lib/samba# wbinfo -i edsontadeu edsontadeu:*:11106:10513::/home/DOMAIN/edsontadeu:/bin/false Thanks! 2016-10-06 9:24 GMT-03:00 Rowland Penny <rpenny at samba.org>:> On Thu, 6 Oct 2016 09:09:57 -0300 > Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote: > > > Same smb.conf in both members, only change netbios name. > > > > > > [global] > > netbios name = FS1 > > realm = DOMAIN.LOCAL > > workgroup = DOMAIN > > security = ads > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > idmap config DOMAIN : backend = rid > > idmap config DOMAIN : range = 10000-99999 > > #+ > > username map = /var/lib/samba/user.map > > #+ > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > winbind expand groups = 4 > > winbind refresh tickets = Yes > > winbind normalize names = Yes > > #+ > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > #+ > > domain master = no > > local master = no > > preferred master = no > > #+ > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > #+ > > log level = 2 vfs:7 auth:2 passdb:2 > > #+ > > vfs objects = full_audit > > full_audit:facility = LOCAL7 > > full_audit:priority = NOTICE > > full_audit:prefix = %u|%I|%m|%S > > full_audit:success = pread pwrite rename rmdir mkdir unlink > > chown full_audit:failure = none > > #+ > > veto files > > /*.lnk/*.bkf/*.pif/*.avi/*.vob/*.qic/*.pak/*.srt/*.vmx/ > autorun.inf/RECYCLER/*.cmd/*.{*}/ > > #+ > > > > [public] > > path = /dados/public > > read only = No > > > > OK, there is only one problem there, you have 'vfs objects > acl_xattr', followed by 'vfs objects = full_audit'. The second turns > off the first, you should have 'vfs objects = acl_xattr full_audit' > > fix this and then if it doesn't fix your problem, > post /etc/resolv.conf, /etc/hosts, /etc/krb5.conf, /etc/hostname > > Rowland >-- ------------------------------------------- Edson Tadeu Almeida Silveira http://sites.google.com/site/edsontadeu/ -------------------------------------------