samba - Jan 2017 - Duplicate xidNumbers

On 1/13/2017 3:30 PM, Rowland Penny wrote:
> On Fri, 13 Jan 2017 15:20:52 -0500
> Bob Thomas <bthomas at cybernetics.com> wrote:
>
>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
>>> On Fri, 13 Jan 2017 13:30:14 -0500
>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>
>>>> Rowland,
>>>>>> Thank you for the quick response.
>>>>>>
>>>>>> I have just run net cache flush no change in problem. 
I have
>>>>>> dumped the idmap.ldp using ldbsearch
>>>>>> -H /var/lib/samba/private/idmap.ldb > idmap.txt and
did some
>>>>>> sorting, that is how I found the duplicates.
>>>>>>
>>>>>>
>>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba wrote:
>>>>>>> samba-tool ntacl
>>>>>>>> sysvolreset
>>>>> OK, idmap.ldb contains records like this:
>>>>>
>>>>> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>> objectClass: sidMap
>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>> type: ID_TYPE_BOTH
>>>>> xidNumber: 3000045
>>>>> distinguishedName:
>>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>
>>>>> As you can see, it maps a user/groups SID to an xidNumber.
So I
>>>>> see no problem with just using the xidNumber for another
SID when
>>>>> you have duplicates, but I would try this instead. Stop
Samba,
>>>>> backup idmap.ldb and then delete both duplicates and any
other
>>>>> records that don't match the above sample, then restart
Samba,
>>>>> this should recreate the records, but with new xidNumbers.
>>>>>
>>>>> Run 'net cache flush' and sysvolreset again.
>>>>>
>>>>> Rowland
>>>>>
>>>> I tried two ways but it didn't seem to help,
>>>>
>>>> First stopped Samba, backed up idmap.ldp and ldpedit deleted
the
>>>> duplicates.   Started Samba and it did recreate the records so
I
>>>> did net cache flush but wbinfo --gid-info  failed for the new
xids:
>>>> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
>>>> No change in sysvolreset also.
>>>>
>>>> Second, I stopped samba, restored backup idmap.ldp and just
edited:
>>>> 3000002  dn: CN=S-1-5-21-976934076-1976663741-3168181429-501 to
>>>> 3000011 3000003  dn:
>>>> CN=S-1-5-21-976934076-1976663741-3168181429-514 to 3000012
>>>>
>>>> Note all other idmap records are in the correct format,
complete
>>>> and no SIDs are duplicated
>>>>
>>>> result wbinfo --gid-info was correct for 3000011 & 3000012
but
>>>> still fails for 3000002 & 3000003
>>>> however wbinfo --sid-to-gid results are good
>>>>
>>>> sysvolreset still shows repeated: idmap range not specified for
>>>> domain '*'
>>>>
>>>> Bob
>>>>
>>> Try restarting Samba, perhaps this will help
>>> Have you given any AD group other than Domain Users a gidNumber ?
>>>
>>> Rowland
>> I have assigned gidNumbers to all the groups I created and to Domain
>> Admins, Domain Computers, Enterprise Admins and DNS Admins.
>>
>> Restarting Samba has no effect.
> Assigning gidNumbers to groups you have created should not be a
> problem, but the only AD group I would add a gidNumber to, is Domain
> Users and I only add that because the winbind 'ad' backend will not
work
> on a domain member unless the group has one. I would remove the
> gidNumber attributes from the others and see if that helps.
>
> Rowland
Rowland,

At least the two duplicate xidNumbers are gone and things seem to be
working.

I removed the gidNumber from all but my groups and domain users.

restarted the server - still no change with sysvolreset, a forever list of:

idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'


Bob

On Fri, 13 Jan 2017 16:43:39 -0500
Bob Thomas via samba <samba at lists.samba.org> wrote:
> On 1/13/2017 3:30 PM, Rowland Penny wrote:
> 
> > On Fri, 13 Jan 2017 15:20:52 -0500
> > Bob Thomas <bthomas at cybernetics.com> wrote:
> >
> >> On 1/13/2017 1:45 PM, Rowland Penny wrote:
> >>> On Fri, 13 Jan 2017 13:30:14 -0500
> >>> Bob Thomas <bthomas at cybernetics.com> wrote:
> >>>
> >>>> Rowland,
> >>>>>> Thank you for the quick response.
> >>>>>>
> >>>>>> I have just run net cache flush no change in
problem.  I have
> >>>>>> dumped the idmap.ldp using ldbsearch
> >>>>>> -H /var/lib/samba/private/idmap.ldb > idmap.txt
and did some
> >>>>>> sorting, that is how I found the duplicates.
> >>>>>>
> >>>>>>
> >>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba
wrote:
> >>>>>>> samba-tool ntacl
> >>>>>>>> sysvolreset
> >>>>> OK, idmap.ldb contains records like this:
> >>>>>
> >>>>> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>> objectClass: sidMap
> >>>>> objectSid:
S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>> type: ID_TYPE_BOTH
> >>>>> xidNumber: 3000045
> >>>>> distinguishedName:
> >>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>
> >>>>> As you can see, it maps a user/groups SID to an
xidNumber. So I
> >>>>> see no problem with just using the xidNumber for
another SID
> >>>>> when you have duplicates, but I would try this
instead. Stop
> >>>>> Samba, backup idmap.ldb and then delete both
duplicates and any
> >>>>> other records that don't match the above sample,
then restart
> >>>>> Samba, this should recreate the records, but with new
> >>>>> xidNumbers.
> >>>>>
> >>>>> Run 'net cache flush' and sysvolreset again.
> >>>>>
> >>>>> Rowland
> >>>>>
> >>>> I tried two ways but it didn't seem to help,
> >>>>
> >>>> First stopped Samba, backed up idmap.ldp and ldpedit
deleted the
> >>>> duplicates.   Started Samba and it did recreate the
records so I
> >>>> did net cache flush but wbinfo --gid-info  failed for the
new
> >>>> xids: failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> >>>> No change in sysvolreset also.
> >>>>
> >>>> Second, I stopped samba, restored backup idmap.ldp and
just
> >>>> edited: 3000002  dn:
> >>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to 3000011
> >>>> 3000003  dn:
CN=S-1-5-21-976934076-1976663741-3168181429-514 to
> >>>> 3000012
> >>>>
> >>>> Note all other idmap records are in the correct format,
complete
> >>>> and no SIDs are duplicated
> >>>>
> >>>> result wbinfo --gid-info was correct for 3000011 &
3000012 but
> >>>> still fails for 3000002 & 3000003
> >>>> however wbinfo --sid-to-gid results are good
> >>>>
> >>>> sysvolreset still shows repeated: idmap range not
specified for
> >>>> domain '*'
> >>>>
> >>>> Bob
> >>>>
> >>> Try restarting Samba, perhaps this will help
> >>> Have you given any AD group other than Domain Users a
gidNumber ?
> >>>
> >>> Rowland
> >> I have assigned gidNumbers to all the groups I created and to
> >> Domain Admins, Domain Computers, Enterprise Admins and DNS Admins.
> >>
> >> Restarting Samba has no effect.
> > Assigning gidNumbers to groups you have created should not be a
> > problem, but the only AD group I would add a gidNumber to, is Domain
> > Users and I only add that because the winbind 'ad' backend
will not
> > work on a domain member unless the group has one. I would remove the
> > gidNumber attributes from the others and see if that helps.
> >
> > Rowland
> Rowland,
> 
> At least the two duplicate xidNumbers are gone and things seem to be
> working.
> 
> I removed the gidNumber from all but my groups and domain users.
> 
> restarted the server - still no change with sysvolreset, a forever
> list of:
> 
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
Where is this message being printed ?
I have checked the logs on one of my DCs and I do not have it anywhere,
but I have found this Univention bug report:

https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
 
Which seems to describe your problem.

Rowland

On Fri, 13 Jan 2017 21:58:27 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Fri, 13 Jan 2017 16:43:39 -0500
> Bob Thomas via samba <samba at lists.samba.org> wrote:
> 
> > On 1/13/2017 3:30 PM, Rowland Penny wrote:
> > 
> > > On Fri, 13 Jan 2017 15:20:52 -0500
> > > Bob Thomas <bthomas at cybernetics.com> wrote:
> > >
> > >> On 1/13/2017 1:45 PM, Rowland Penny wrote:
> > >>> On Fri, 13 Jan 2017 13:30:14 -0500
> > >>> Bob Thomas <bthomas at cybernetics.com> wrote:
> > >>>
> > >>>> Rowland,
> > >>>>>> Thank you for the quick response.
> > >>>>>>
> > >>>>>> I have just run net cache flush no change in
problem.  I have
> > >>>>>> dumped the idmap.ldp using ldbsearch
> > >>>>>> -H /var/lib/samba/private/idmap.ldb >
idmap.txt and did some
> > >>>>>> sorting, that is how I found the duplicates.
> > >>>>>>
> > >>>>>>
> > >>>>>> On 1/13/2017 11:09 AM, Rowland Penny via
samba wrote:
> > >>>>>>> samba-tool ntacl
> > >>>>>>>> sysvolreset
> > >>>>> OK, idmap.ldb contains records like this:
> > >>>>>
> > >>>>> dn:
CN=S-1-5-21-1768301897-3342589593-1064908849-502
> > >>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
> > >>>>> objectClass: sidMap
> > >>>>> objectSid:
S-1-5-21-1768301897-3342589593-1064908849-502
> > >>>>> type: ID_TYPE_BOTH
> > >>>>> xidNumber: 3000045
> > >>>>> distinguishedName:
> > >>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
> > >>>>>
> > >>>>> As you can see, it maps a user/groups SID to an
xidNumber. So
> > >>>>> I see no problem with just using the xidNumber
for another SID
> > >>>>> when you have duplicates, but I would try this
instead. Stop
> > >>>>> Samba, backup idmap.ldb and then delete both
duplicates and
> > >>>>> any other records that don't match the above
sample, then
> > >>>>> restart Samba, this should recreate the records,
but with new
> > >>>>> xidNumbers.
> > >>>>>
> > >>>>> Run 'net cache flush' and sysvolreset
again.
> > >>>>>
> > >>>>> Rowland
> > >>>>>
> > >>>> I tried two ways but it didn't seem to help,
> > >>>>
> > >>>> First stopped Samba, backed up idmap.ldp and ldpedit
deleted
> > >>>> the duplicates.   Started Samba and it did recreate
the
> > >>>> records so I did net cache flush but wbinfo
--gid-info  failed
> > >>>> for the new xids: failed to call wbcGetgrgid:
> > >>>> WBC_ERR_DOMAIN_NOT_FOUND No change in sysvolreset
also.
> > >>>>
> > >>>> Second, I stopped samba, restored backup idmap.ldp
and just
> > >>>> edited: 3000002  dn:
> > >>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to
3000011
> > >>>> 3000003  dn:
CN=S-1-5-21-976934076-1976663741-3168181429-514 to
> > >>>> 3000012
> > >>>>
> > >>>> Note all other idmap records are in the correct
format,
> > >>>> complete and no SIDs are duplicated
> > >>>>
> > >>>> result wbinfo --gid-info was correct for 3000011
& 3000012 but
> > >>>> still fails for 3000002 & 3000003
> > >>>> however wbinfo --sid-to-gid results are good
> > >>>>
> > >>>> sysvolreset still shows repeated: idmap range not
specified for
> > >>>> domain '*'
> > >>>>
> > >>>> Bob
> > >>>>
> > >>> Try restarting Samba, perhaps this will help
> > >>> Have you given any AD group other than Domain Users a
> > >>> gidNumber ?
> > >>>
> > >>> Rowland
> > >> I have assigned gidNumbers to all the groups I created and to
> > >> Domain Admins, Domain Computers, Enterprise Admins and DNS
> > >> Admins.
> > >>
> > >> Restarting Samba has no effect.
> > > Assigning gidNumbers to groups you have created should not be a
> > > problem, but the only AD group I would add a gidNumber to, is
> > > Domain Users and I only add that because the winbind 'ad'
backend
> > > will not work on a domain member unless the group has one. I
> > > would remove the gidNumber attributes from the others and see if
> > > that helps.
> > >
> > > Rowland
> > Rowland,
> > 
> > At least the two duplicate xidNumbers are gone and things seem to be
> > working.
> > 
> > I removed the gidNumber from all but my groups and domain users.
> > 
> > restarted the server - still no change with sysvolreset, a forever
> > list of:
> > 
> > idmap range not specified for domain '*'
> > idmap range not specified for domain '*'
> > idmap range not specified for domain '*'
> > idmap range not specified for domain '*'
> 
> Where is this message being printed ?
> I have checked the logs on one of my DCs and I do not have it
> anywhere, but I have found this Univention bug report:
> 
> https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
>  
> Which seems to describe your problem.
> 
> Rowland
> 
I just ran 'samba-tool ntacl sysvolreset' and now see where it comes
from, the command now seems to have gone verbose and in several places
it prints:

idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'

in several places

I found that I had 'log level = 3' in smb.conf , changing this to
'log
level = 0' stopped all the error messages

Rowland

On 1/13/2017 4:58 PM, Rowland Penny via samba wrote:
> On Fri, 13 Jan 2017 16:43:39 -0500
> Bob Thomas via samba <samba at lists.samba.org> wrote:
>
>> On 1/13/2017 3:30 PM, Rowland Penny wrote:
>>
>>> On Fri, 13 Jan 2017 15:20:52 -0500
>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>
>>>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
>>>>> On Fri, 13 Jan 2017 13:30:14 -0500
>>>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>>>
>>>>>> Rowland,
>>>>>>>> Thank you for the quick response.
>>>>>>>>
>>>>>>>> I have just run net cache flush no change in
problem.  I have
>>>>>>>> dumped the idmap.ldp using ldbsearch
>>>>>>>> -H /var/lib/samba/private/idmap.ldb >
idmap.txt and did some
>>>>>>>> sorting, that is how I found the duplicates.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba
wrote:
>>>>>>>>> samba-tool ntacl
>>>>>>>>>> sysvolreset
>>>>>>> OK, idmap.ldb contains records like this:
>>>>>>>
>>>>>>> dn:
CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> objectClass: sidMap
>>>>>>> objectSid:
S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> type: ID_TYPE_BOTH
>>>>>>> xidNumber: 3000045
>>>>>>> distinguishedName:
>>>>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>
>>>>>>> As you can see, it maps a user/groups SID to an
xidNumber. So I
>>>>>>> see no problem with just using the xidNumber for
another SID
>>>>>>> when you have duplicates, but I would try this
instead. Stop
>>>>>>> Samba, backup idmap.ldb and then delete both
duplicates and any
>>>>>>> other records that don't match the above
sample, then restart
>>>>>>> Samba, this should recreate the records, but with
new
>>>>>>> xidNumbers.
>>>>>>>
>>>>>>> Run 'net cache flush' and sysvolreset
again.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> I tried two ways but it didn't seem to help,
>>>>>>
>>>>>> First stopped Samba, backed up idmap.ldp and ldpedit
deleted the
>>>>>> duplicates.   Started Samba and it did recreate the
records so I
>>>>>> did net cache flush but wbinfo --gid-info  failed for
the new
>>>>>> xids: failed to call wbcGetgrgid:
WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> No change in sysvolreset also.
>>>>>>
>>>>>> Second, I stopped samba, restored backup idmap.ldp and
just
>>>>>> edited: 3000002  dn:
>>>>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to
3000011
>>>>>> 3000003  dn:
CN=S-1-5-21-976934076-1976663741-3168181429-514 to
>>>>>> 3000012
>>>>>>
>>>>>> Note all other idmap records are in the correct format,
complete
>>>>>> and no SIDs are duplicated
>>>>>>
>>>>>> result wbinfo --gid-info was correct for 3000011 &
3000012 but
>>>>>> still fails for 3000002 & 3000003
>>>>>> however wbinfo --sid-to-gid results are good
>>>>>>
>>>>>> sysvolreset still shows repeated: idmap range not
specified for
>>>>>> domain '*'
>>>>>>
>>>>>> Bob
>>>>>>
>>>>> Try restarting Samba, perhaps this will help
>>>>> Have you given any AD group other than Domain Users a
gidNumber ?
>>>>>
>>>>> Rowland
>>>> I have assigned gidNumbers to all the groups I created and to
>>>> Domain Admins, Domain Computers, Enterprise Admins and DNS
Admins.
>>>>
>>>> Restarting Samba has no effect.
>>> Assigning gidNumbers to groups you have created should not be a
>>> problem, but the only AD group I would add a gidNumber to, is
Domain
>>> Users and I only add that because the winbind 'ad' backend
will not
>>> work on a domain member unless the group has one. I would remove
the
>>> gidNumber attributes from the others and see if that helps.
>>>
>>> Rowland
>> Rowland,
>>
>> At least the two duplicate xidNumbers are gone and things seem to be
>> working.
>>
>> I removed the gidNumber from all but my groups and domain users.
>>
>> restarted the server - still no change with sysvolreset, a forever
>> list of:
>>
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
> Where is this message being printed ?
> I have checked the logs on one of my DCs and I do not have it anywhere,
> but I have found this Univention bug report:
>
> https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
>   
> Which seems to describe your problem.
>
> Rowland
>
It is not in a log is shows when running sysvolreset and continues for 
about 3 minutes short example below:

 From how I read the bug report it was an for 4.1rc, I am running 
version 4.5.1.   I think at version 4.4.? is when it was not good
for smb.conf to have:

	idmap config *:backend = tdb
        	idmap config *:range = 2000-9999

If I insert them back in smb.conf, restart samba then sysvolreset runs clean


root at CY-PRO-DC:/var/log/samba# samba-tool ntacl sysvolreset
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'