On Fri, 13 Jan 2017 10:24:28 -0500
Bob Thomas via samba <samba at lists.samba.org> wrote:
> Hello Samba team,
>
> I have 3 production samba DCs version 4.5.1 serving the same domain
> (2 sites) and all are having the same problems, I believe based on
> two duplicate xidNumbers described below.
> xidNumbers 3000002 & 3000003 have two SIDs assigned while xidNumbers
> 3000011 & 3000012 have no SIDs assigned. Is fixing this as simple as
> moving one of the duplicates to the empty xidNumber and if so how can
> I safely accomplish the move?
> Details below.
> Thank you in advance for your assistance
> Bob Thomas
>
> Problem 1. Duplicate xidNumbers
>
> 3000002 dn: CN=S-1-5-21-976934076-1976663741-3168181429-501 > Guest
3000002 dn: CN=S-1-5-18 = Local System
> 3000003 dn: CN=S-1-5-21-976934076-1976663741-3168181429-514 > Domain
Guests
> 3000003 dn: CN=S-1-5-11 = Authenticated Users
> Empty xidNumbers
> 3000011
> 3000012
> wbinfo --gid-info shows:
> root at CY-DC:~# wbinfo --gid-info 3000002
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000002
>
> root at CY-DC:~# wbinfo --gid-info 3000003
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000003
>
> root at CY-DC:~# wbinfo --gid-info 3000011
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000011
>
> root at CY-DC:~# wbinfo --gid-info 3000012
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000012
>
> all other gid-info work
> smb.conf:
>
> [global]
> netbios name = DC1
> realm = MY.DOMAIN.COM
> workgroup = MY
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = no
> allow dns updates = nonsecure and secure
> log level = 1
> ntlm auth = yes
> lanman auth = yes
> # stops cups errors in log file
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> [netlogon]
> path = /var/lib/samba/sysvol/my.domain.com/scripts
> read only = No
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> nsswitch.conf:
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> root at CY-DC:~# getfacl /var/lib/samba/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:BUILTIN\134server\040operators:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:BUILTIN\134server\040operators:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> Problem 2. Not sure it is related but When I run: samba-tool ntacl
> sysvolreset I get hundreds of:
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> This behavior started after removing the following from smb.conf as
> recommended by this forum:
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> If you need any additional information don't hesitate to ask - Thanks
> again
>
Problem 1: have you tried running 'net cache flush' ?
Have you also tried using ldbedit to look inside idmap.ldb ?
Problem 2: The lines shouldn't be in a DC smb.conf, so you did the
right thing removing them, perhaps 'net cache flush' will fix this as
well.
Rowland