samba - Jan 2017 - Duplicate xidNumbers

On 1/13/2017 4:58 PM, Rowland Penny via samba wrote:
> On Fri, 13 Jan 2017 16:43:39 -0500
> Bob Thomas via samba <samba at lists.samba.org> wrote:
>
>> On 1/13/2017 3:30 PM, Rowland Penny wrote:
>>
>>> On Fri, 13 Jan 2017 15:20:52 -0500
>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>
>>>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
>>>>> On Fri, 13 Jan 2017 13:30:14 -0500
>>>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>>>
>>>>>> Rowland,
>>>>>>>> Thank you for the quick response.
>>>>>>>>
>>>>>>>> I have just run net cache flush no change in
problem.  I have
>>>>>>>> dumped the idmap.ldp using ldbsearch
>>>>>>>> -H /var/lib/samba/private/idmap.ldb >
idmap.txt and did some
>>>>>>>> sorting, that is how I found the duplicates.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/13/2017 11:09 AM, Rowland Penny via samba
wrote:
>>>>>>>>> samba-tool ntacl
>>>>>>>>>> sysvolreset
>>>>>>> OK, idmap.ldb contains records like this:
>>>>>>>
>>>>>>> dn:
CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> cn: S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> objectClass: sidMap
>>>>>>> objectSid:
S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>> type: ID_TYPE_BOTH
>>>>>>> xidNumber: 3000045
>>>>>>> distinguishedName:
>>>>>>> CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>
>>>>>>> As you can see, it maps a user/groups SID to an
xidNumber. So I
>>>>>>> see no problem with just using the xidNumber for
another SID
>>>>>>> when you have duplicates, but I would try this
instead. Stop
>>>>>>> Samba, backup idmap.ldb and then delete both
duplicates and any
>>>>>>> other records that don't match the above
sample, then restart
>>>>>>> Samba, this should recreate the records, but with
new
>>>>>>> xidNumbers.
>>>>>>>
>>>>>>> Run 'net cache flush' and sysvolreset
again.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> I tried two ways but it didn't seem to help,
>>>>>>
>>>>>> First stopped Samba, backed up idmap.ldp and ldpedit
deleted the
>>>>>> duplicates.   Started Samba and it did recreate the
records so I
>>>>>> did net cache flush but wbinfo --gid-info  failed for
the new
>>>>>> xids: failed to call wbcGetgrgid:
WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> No change in sysvolreset also.
>>>>>>
>>>>>> Second, I stopped samba, restored backup idmap.ldp and
just
>>>>>> edited: 3000002  dn:
>>>>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to
3000011
>>>>>> 3000003  dn:
CN=S-1-5-21-976934076-1976663741-3168181429-514 to
>>>>>> 3000012
>>>>>>
>>>>>> Note all other idmap records are in the correct format,
complete
>>>>>> and no SIDs are duplicated
>>>>>>
>>>>>> result wbinfo --gid-info was correct for 3000011 &
3000012 but
>>>>>> still fails for 3000002 & 3000003
>>>>>> however wbinfo --sid-to-gid results are good
>>>>>>
>>>>>> sysvolreset still shows repeated: idmap range not
specified for
>>>>>> domain '*'
>>>>>>
>>>>>> Bob
>>>>>>
>>>>> Try restarting Samba, perhaps this will help
>>>>> Have you given any AD group other than Domain Users a
gidNumber ?
>>>>>
>>>>> Rowland
>>>> I have assigned gidNumbers to all the groups I created and to
>>>> Domain Admins, Domain Computers, Enterprise Admins and DNS
Admins.
>>>>
>>>> Restarting Samba has no effect.
>>> Assigning gidNumbers to groups you have created should not be a
>>> problem, but the only AD group I would add a gidNumber to, is
Domain
>>> Users and I only add that because the winbind 'ad' backend
will not
>>> work on a domain member unless the group has one. I would remove
the
>>> gidNumber attributes from the others and see if that helps.
>>>
>>> Rowland
>> Rowland,
>>
>> At least the two duplicate xidNumbers are gone and things seem to be
>> working.
>>
>> I removed the gidNumber from all but my groups and domain users.
>>
>> restarted the server - still no change with sysvolreset, a forever
>> list of:
>>
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
> Where is this message being printed ?
> I have checked the logs on one of my DCs and I do not have it anywhere,
> but I have found this Univention bug report:
>
> https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
>   
> Which seems to describe your problem.
>
> Rowland
>
It is not in a log is shows when running sysvolreset and continues for 
about 3 minutes short example below:

 From how I read the bug report it was an for 4.1rc, I am running 
version 4.5.1.   I think at version 4.4.? is when it was not good
for smb.conf to have:

	idmap config *:backend = tdb
        	idmap config *:range = 2000-9999

If I insert them back in smb.conf, restart samba then sysvolreset runs clean


root at CY-PRO-DC:/var/log/samba# samba-tool ntacl sysvolreset
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'

On Fri, 13 Jan 2017 17:22:15 -0500
Bob Thomas <bthomas at cybernetics.com> wrote:
> 
> 
> On 1/13/2017 4:58 PM, Rowland Penny via samba wrote:
> > On Fri, 13 Jan 2017 16:43:39 -0500
> > Bob Thomas via samba <samba at lists.samba.org> wrote:
> >
> >> On 1/13/2017 3:30 PM, Rowland Penny wrote:
> >>
> >>> On Fri, 13 Jan 2017 15:20:52 -0500
> >>> Bob Thomas <bthomas at cybernetics.com> wrote:
> >>>
> >>>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
> >>>>> On Fri, 13 Jan 2017 13:30:14 -0500
> >>>>> Bob Thomas <bthomas at cybernetics.com> wrote:
> >>>>>
> >>>>>> Rowland,
> >>>>>>>> Thank you for the quick response.
> >>>>>>>>
> >>>>>>>> I have just run net cache flush no change
in problem.  I have
> >>>>>>>> dumped the idmap.ldp using ldbsearch
> >>>>>>>> -H /var/lib/samba/private/idmap.ldb >
idmap.txt and did some
> >>>>>>>> sorting, that is how I found the
duplicates.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 1/13/2017 11:09 AM, Rowland Penny via
samba wrote:
> >>>>>>>>> samba-tool ntacl
> >>>>>>>>>> sysvolreset
> >>>>>>> OK, idmap.ldb contains records like this:
> >>>>>>>
> >>>>>>> dn:
CN=S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>>> cn:
S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>>> objectClass: sidMap
> >>>>>>> objectSid:
S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>>> type: ID_TYPE_BOTH
> >>>>>>> xidNumber: 3000045
> >>>>>>> distinguishedName:
> >>>>>>>
CN=S-1-5-21-1768301897-3342589593-1064908849-502
> >>>>>>>
> >>>>>>> As you can see, it maps a user/groups SID to
an xidNumber. So
> >>>>>>> I see no problem with just using the xidNumber
for another SID
> >>>>>>> when you have duplicates, but I would try this
instead. Stop
> >>>>>>> Samba, backup idmap.ldb and then delete both
duplicates and
> >>>>>>> any other records that don't match the
above sample, then
> >>>>>>> restart Samba, this should recreate the
records, but with new
> >>>>>>> xidNumbers.
> >>>>>>>
> >>>>>>> Run 'net cache flush' and sysvolreset
again.
> >>>>>>>
> >>>>>>> Rowland
> >>>>>>>
> >>>>>> I tried two ways but it didn't seem to help,
> >>>>>>
> >>>>>> First stopped Samba, backed up idmap.ldp and
ldpedit deleted
> >>>>>> the duplicates.   Started Samba and it did
recreate the
> >>>>>> records so I did net cache flush but wbinfo
--gid-info  failed
> >>>>>> for the new xids: failed to call wbcGetgrgid:
> >>>>>> WBC_ERR_DOMAIN_NOT_FOUND No change in sysvolreset
also.
> >>>>>>
> >>>>>> Second, I stopped samba, restored backup idmap.ldp
and just
> >>>>>> edited: 3000002  dn:
> >>>>>> CN=S-1-5-21-976934076-1976663741-3168181429-501 to
3000011
> >>>>>> 3000003  dn:
CN=S-1-5-21-976934076-1976663741-3168181429-514 to
> >>>>>> 3000012
> >>>>>>
> >>>>>> Note all other idmap records are in the correct
format,
> >>>>>> complete and no SIDs are duplicated
> >>>>>>
> >>>>>> result wbinfo --gid-info was correct for 3000011
& 3000012 but
> >>>>>> still fails for 3000002 & 3000003
> >>>>>> however wbinfo --sid-to-gid results are good
> >>>>>>
> >>>>>> sysvolreset still shows repeated: idmap range not
specified for
> >>>>>> domain '*'
> >>>>>>
> >>>>>> Bob
> >>>>>>
> >>>>> Try restarting Samba, perhaps this will help
> >>>>> Have you given any AD group other than Domain Users a
> >>>>> gidNumber ?
> >>>>>
> >>>>> Rowland
> >>>> I have assigned gidNumbers to all the groups I created and
to
> >>>> Domain Admins, Domain Computers, Enterprise Admins and DNS
> >>>> Admins.
> >>>>
> >>>> Restarting Samba has no effect.
> >>> Assigning gidNumbers to groups you have created should not be
a
> >>> problem, but the only AD group I would add a gidNumber to, is
> >>> Domain Users and I only add that because the winbind
'ad' backend
> >>> will not work on a domain member unless the group has one. I
> >>> would remove the gidNumber attributes from the others and see
if
> >>> that helps.
> >>>
> >>> Rowland
> >> Rowland,
> >>
> >> At least the two duplicate xidNumbers are gone and things seem to
> >> be working.
> >>
> >> I removed the gidNumber from all but my groups and domain users.
> >>
> >> restarted the server - still no change with sysvolreset, a forever
> >> list of:
> >>
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> >> idmap range not specified for domain '*'
> > Where is this message being printed ?
> > I have checked the logs on one of my DCs and I do not have it
> > anywhere, but I have found this Univention bug report:
> >
> > https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
> >   
> > Which seems to describe your problem.
> >
> > Rowland
> >
> It is not in a log is shows when running sysvolreset and continues
> for about 3 minutes short example below:
> 
>  From how I read the bug report it was an for 4.1rc, I am running 
> version 4.5.1.   I think at version 4.4.? is when it was not good
> for smb.conf to have:
> 
> 	idmap config *:backend = tdb
>         	idmap config *:range = 2000-9999
> 
> If I insert them back in smb.conf, restart samba then sysvolreset
> runs clean
Before 4.5.0, you could add the lines to a DC smb.conf, they wouldn't
have any effect, but you could add them. From 4.5.0, they do have an
effect, but not the effect you want, code changes now mean they cause
errors and so they definitely shouldn't be added. I think from 4.6.0,
Samba will not start if they are in smb.conf.
> 
> 
> root at CY-PRO-DC:/var/log/samba# samba-tool ntacl sysvolreset
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> 
Yes I have now seen something similar and tracked it down in the source
code. I think it is coming from
samba-master/source3/winbindd/idmap.c:401

	if (range == NULL) {
		if (check_range) {
			DEBUG(1, ("idmap range not specified for domain %s\n",
				  result->name));
			goto fail;
		}

Which is all very well on a domain member, but what about a DC ??

I could be wrong, but that is the way I see it.

Rowland

On 1/13/2017 5:35 PM, Rowland Penny via samba wrote:
> On Fri, 13 Jan 2017 17:22:15 -0500
> Bob Thomas <bthomas at cybernetics.com> wrote:
>
>>
>> On 1/13/2017 4:58 PM, Rowland Penny via samba wrote:
>>> On Fri, 13 Jan 2017 16:43:39 -0500
>>> Bob Thomas via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 1/13/2017 3:30 PM, Rowland Penny wrote:
>>>>
>>>>> On Fri, 13 Jan 2017 15:20:52 -0500
>>>>> Bob Thomas <bthomas at cybernetics.com> wrote:
>>>>>
>>>>>> On 1/13/2017 1:45 PM, Rowland Penny wrote:
>>>>>>> On Fri, 13 Jan 2017 13:30:14 -0500
>>>>>>> Bob Thomas <bthomas at cybernetics.com>
wrote:
>>>>>>>
>>>>>>>> Rowland,
>>>>>>>>>> Thank you for the quick response.
>>>>>>>>>>
>>>>>>>>>> I have just run net cache flush no
change in problem.  I have
>>>>>>>>>> dumped the idmap.ldp using ldbsearch
>>>>>>>>>> -H /var/lib/samba/private/idmap.ldb
> idmap.txt and did some
>>>>>>>>>> sorting, that is how I found the
duplicates.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/13/2017 11:09 AM, Rowland Penny
via samba wrote:
>>>>>>>>>>> samba-tool ntacl
>>>>>>>>>>>> sysvolreset
>>>>>>>>> OK, idmap.ldb contains records like this:
>>>>>>>>>
>>>>>>>>> dn:
CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>>> cn:
S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>>> objectClass: sidMap
>>>>>>>>> objectSid:
S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>>> type: ID_TYPE_BOTH
>>>>>>>>> xidNumber: 3000045
>>>>>>>>> distinguishedName:
>>>>>>>>>
CN=S-1-5-21-1768301897-3342589593-1064908849-502
>>>>>>>>>
>>>>>>>>> As you can see, it maps a user/groups SID
to an xidNumber. So
>>>>>>>>> I see no problem with just using the
xidNumber for another SID
>>>>>>>>> when you have duplicates, but I would try
this instead. Stop
>>>>>>>>> Samba, backup idmap.ldb and then delete
both duplicates and
>>>>>>>>> any other records that don't match the
above sample, then
>>>>>>>>> restart Samba, this should recreate the
records, but with new
>>>>>>>>> xidNumbers.
>>>>>>>>>
>>>>>>>>> Run 'net cache flush' and
sysvolreset again.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> I tried two ways but it didn't seem to
help,
>>>>>>>>
>>>>>>>> First stopped Samba, backed up idmap.ldp and
ldpedit deleted
>>>>>>>> the duplicates.   Started Samba and it did
recreate the
>>>>>>>> records so I did net cache flush but wbinfo
--gid-info  failed
>>>>>>>> for the new xids: failed to call wbcGetgrgid:
>>>>>>>> WBC_ERR_DOMAIN_NOT_FOUND No change in
sysvolreset also.
>>>>>>>>
>>>>>>>> Second, I stopped samba, restored backup
idmap.ldp and just
>>>>>>>> edited: 3000002  dn:
>>>>>>>> CN=S-1-5-21-976934076-1976663741-3168181429-501
to 3000011
>>>>>>>> 3000003  dn:
CN=S-1-5-21-976934076-1976663741-3168181429-514 to
>>>>>>>> 3000012
>>>>>>>>
>>>>>>>> Note all other idmap records are in the correct
format,
>>>>>>>> complete and no SIDs are duplicated
>>>>>>>>
>>>>>>>> result wbinfo --gid-info was correct for
3000011 & 3000012 but
>>>>>>>> still fails for 3000002 & 3000003
>>>>>>>> however wbinfo --sid-to-gid results are good
>>>>>>>>
>>>>>>>> sysvolreset still shows repeated: idmap range
not specified for
>>>>>>>> domain '*'
>>>>>>>>
>>>>>>>> Bob
>>>>>>>>
>>>>>>> Try restarting Samba, perhaps this will help
>>>>>>> Have you given any AD group other than Domain Users
a
>>>>>>> gidNumber ?
>>>>>>>
>>>>>>> Rowland
>>>>>> I have assigned gidNumbers to all the groups I created
and to
>>>>>> Domain Admins, Domain Computers, Enterprise Admins and
DNS
>>>>>> Admins.
>>>>>>
>>>>>> Restarting Samba has no effect.
>>>>> Assigning gidNumbers to groups you have created should not
be a
>>>>> problem, but the only AD group I would add a gidNumber to,
is
>>>>> Domain Users and I only add that because the winbind
'ad' backend
>>>>> will not work on a domain member unless the group has one.
I
>>>>> would remove the gidNumber attributes from the others and
see if
>>>>> that helps.
>>>>>
>>>>> Rowland
>>>> Rowland,
>>>>
>>>> At least the two duplicate xidNumbers are gone and things seem
to
>>>> be working.
>>>>
>>>> I removed the gidNumber from all but my groups and domain
users.
>>>>
>>>> restarted the server - still no change with sysvolreset, a
forever
>>>> list of:
>>>>
>>>> idmap range not specified for domain '*'
>>>> idmap range not specified for domain '*'
>>>> idmap range not specified for domain '*'
>>>> idmap range not specified for domain '*'
>>> Where is this message being printed ?
>>> I have checked the logs on one of my DCs and I do not have it
>>> anywhere, but I have found this Univention bug report:
>>>
>>> https://forge.univention.org/bugzilla/show_bug.cgi?id=32376
>>>    
>>> Which seems to describe your problem.
>>>
>>> Rowland
>>>
>> It is not in a log is shows when running sysvolreset and continues
>> for about 3 minutes short example below:
>>
>>   From how I read the bug report it was an for 4.1rc, I am running
>> version 4.5.1.   I think at version 4.4.? is when it was not good
>> for smb.conf to have:
>>
>> 	idmap config *:backend = tdb
>>          	idmap config *:range = 2000-9999
>>
>> If I insert them back in smb.conf, restart samba then sysvolreset
>> runs clean
> Before 4.5.0, you could add the lines to a DC smb.conf, they wouldn't
> have any effect, but you could add them. From 4.5.0, they do have an
> effect, but not the effect you want, code changes now mean they cause
> errors and so they definitely shouldn't be added. I think from 4.6.0,
> Samba will not start if they are in smb.conf.
>
>>
>> root at CY-PRO-DC:/var/log/samba# samba-tool ntacl sysvolreset
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>> idmap range not specified for domain '*'
>>
> Yes I have now seen something similar and tracked it down in the source
> code. I think it is coming from
> samba-master/source3/winbindd/idmap.c:401
>
> 	if (range == NULL) {
> 		if (check_range) {
> 			DEBUG(1, ("idmap range not specified for domain %s\n",
> 				  result->name));
> 			goto fail;
> 		}
>
> Which is all very well on a domain member, but what about a DC ??
>
> I could be wrong, but that is the way I see it.
>
> Rowland
>
OK, I set log level = 0 and it is gone?
Not solved but at least hidden:)
Maybe the code needs  "if server not equal to DC - and ....... "
statement

Duplicate xidNumbers are fixed and everything seems to be running as 
designed.

Thank you Rowland again for your help -  Rowland and the rest of the 
Samba Team are "The Best"

Bob