samba - Jan 2017 - getent problems with new Samba version

on Wed, 25 Jan 2017 20:15:49 -0500 Gaiseric Vandal wrote:
> Would "testparm -v" show you the path of all the files used ? 
Are there any idmap settings?
Gaiseric, thanks for your response. the `testparm -v` gave me:

private dir = /var/lib/samba/private

So, I guess that means the sam.ldb in that directory is the one being used, not
the one in
/etc/samba/private.  That helps.  Thanks for that tip.  The newer Samba 4.4.8
must have somehow
been smart enough to find the 4.2.12 sam.ldb in /etc/samba/private and copy it
over to the new
location because there was no /var/lib/samba/private with my 4.2.12, and the
contents of both
sam.ldb's is the same including changes I made. 
> It looks like the newer version is using winbind to allocate uid's
(based on the high ID
> numbers.) Maybe because it does not see uid's already allocated. 
/var/lib/samba/private/sam.ldb, /etc/samba/private/sam.ldb and RSAT/ADUC all
show the "correct"
UID:GIDs for users, for example 10001:10000. 

So, if Samba 4.4.8 "is using winbind to allocate uid's", how can I
make it stop that and use
the ids actually configured in sam.ldb? That's the question, basically: why
is windbind (or
whatever) arbitrarily generating UID:GIDs instead of using the configured ids?
You are likely
right on this too.  As Rowland Penny wrote on 10/11/2015 17:15, "wbinfo
goes straight to
winbind, which goes to where you have told it to.  getent goes via nssswitch,
...". and wbinfo
still returns:

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash 

Rowland said, "winbind ... goes to where you have told it to". Where
would that be? Apparently
not sam.ldb.

One possible clue here might be that the 30000xx:100 range were the defaults
that Samba4
initially used by default when I provisioned my domain in 2014. I changed these
to facilitate
single-sign-on on other Linux domain members per Rowland Penny's suggestion:

On Sun, 11 Oct 2015 18:01:05 +0100 Rowland Penny <rowlandpenny241155 at
gmail.com> wrote:
> I would not use 300099, if you have already got users with uidNumbers, I
> would change them and start the numbers from '10000' (yes, you can
have
> a user and a group with the same number), but this is what I would do.
> You can, if you so wish, use '3000099' , but there is no reason to
do
> so, if the user or a group has a uid/gidNumber, the DC will use these
> numbers instead of the '3000000' numbers.
> :
> I am glad you are changing the uidNumber numbers, if you hadn't, you
> would have needed this in smb.conf on a domain member:
> idmap config DOMAIN: 100-4000000
> Something you definitely didn't really want to have.
He wrote elsewhere how to make that change using ldbedit, which I did, and it
all worked
perfectly then.  Now, the current version seems to have reverted to default
UID:GID and is
ignoring sam.ldb settings. 

So, any ideas on why and how I can fix it?
> The domain member may be showing correct id's because of caching.  
You may be right on this. To test, I changed the /etc/passwd UID for user mark,
then did the
`getent` on the domain member and it still shows the correct UID:GID
10001:10000.
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Mark
Foley via samba
> Sent: Wednesday, January 25, 2017 10:00 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] getent problems with new Samba version
>
> Sorry for the serial posting, but ... anxious ...
>
> I think there must be a bug in Samba 4.4.8, this all worked with 4.2.14.
>
> To summarize (details in attached messages), since upgrading from Samba
4.2.14 to 4.4.8, getent returns the wrong UID:GID. This is causing permission
errors in programs like dovecot who try to read/write to Maildir files having
the correct UID:GID.
>
> With 4.4.8 I now have sam.ldb in /etc/samba/private (same with 4.2.14) and
also in /var/lib/samba/private. Details in preceding message. Not sure which is
the one being used.
>
> With 4.2.14 on AD/DC (CORRECT):
> $ getent passwd mark
> HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
>
> With 4.4.8 on AD/DC:
> $ getent passwd mark
> HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash
>
> With 4.4.5 on domain member labrat (CORRECT):
> $ getent passwd mark
> mark:*:10001:10000::/home/HPRS/mark:/bin/bash
>
> Meanwhile, pending feedback from this list, I've added user
'mark' to /etc/passwd:
>
> mark:x:10001:10000::/home/HPRS/mark:/bin/bash
>
> and now getent on the 4.4.8 AD/DC is back to normal:
>
> $ getent passwd mark
> mark:x:10001:10000::/home/HPRS/mark:/bin/bash
>
> Permissions are now working with email MTA, etc.
>
> While I'm at it, I did find the newly bad UID 3000026 in
/etc/samba/private/idmap.ldb.
> The entry therein:
>
> # record 44
> dn: CN=S-1-5-21-1052267278-1962196458-4119365663-1111
> cn: S-1-5-21-1052267278-1962196458-4119365663-1111
> objectClass: sidMap
> objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
> type: ID_TYPE_BOTH
> xidNumber: 3000026
> distinguishedName: CN=S-1-5-21-1052267278-1962196458-4119365663-1111
>
> Not sure that is meaningful.
>
> Any help on this would be GREATLY appreciated.
>
> --Mark
>
> -----Original Message-----
> Date: Tue, 24 Jan 2017 23:25:35 -0500
> To: samba at lists.samba.org
> Subject: Re: [Samba] getent problems with new Samba version
> From: Mark Foley via samba <samba at lists.samba.org>
>
> More information (possibly too much).
>
> Since "things" are defined in sam.ldb, I compared before and
after the Samba 4.2.14 to 4.4.8 update. Here are the sam.ldb related files from
the old 4.2.14 version:
>
> -rw------- root/root      4247552 2014-10-20 23:54
etc/samba/private/sam.ldb
> -rw------- root/root      4689920 2017-01-14 11:09
etc/samba/private/sam.ldb.bak
>
> drwx------ root/root            0 2017-01-14 11:09
etc/samba/private/sam.ldb.d/
> -rw------- root/root      4247552 2017-01-14 13:24
etc/samba/private/sam.ldb.d/DC=HPRS,DC=LOCAL.ldb
> -rw------- root/root     14610432 2017-01-14 11:09
etc/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb.bak
> -rw------- root/root     20475904 2014-10-20 23:54
etc/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb
> -rw------- root/root      2371584 2017-01-14 11:09
etc/samba/private/sam.ldb.d/DC=HPRS,DC=LOCAL.ldb.bak
> -rw-r----- root/root         8192 2017-01-14 11:09
etc/samba/private/sam.ldb.d/metadata.tdb.bak
> -rw-r----- root/root       421888 2017-01-14 11:50
etc/samba/private/sam.ldb.d/metadata.tdb
> -rw------- root/root     14307328 2015-08-13 21:03
etc/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb
> -rw------- root/root      8802304 2017-01-14 11:09
etc/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=HPRS,DC=LOCAL.ldb.bak
>
> and the new 4.4.8 version:
>
> -rw------- 1 root root 4247552 Oct 20  2014 /etc/samba/private/sam.ldb
> -rw------- 1 root root 4689920 Jan 24 00:10 /etc/samba/private/sam.ldb.bak
> -rw------- 1 root root 4247552 Oct 20  2014 /var/lib/samba/private/sam.ldb
> -rw------- 1 root root 4689920 Jan 24 00:11
/var/lib/samba/private/sam.ldb.bak
>
> > ls -l /etc/samba/private/sam.ldb.d
> total 63716
> -rw------- 1 root root 14307328 Aug 13  2015
CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root  8802304 Jan 24 00:11
CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw------- 1 root root 20475904 Oct 20  2014
CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root 14610432 Jan 24 00:11
CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw------- 1 root root  4247552 Jan 14 13:24 DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root  2371584 Jan 24 00:10 DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw-r----- 1 root root   421888 Jan 14 11:50 metadata.tdb
> -rw-r----- 1 root root     8192 Jan 16 00:11 metadata.tdb.bak
>
> > ls -l /var/lib/samba/private/sam.ldb.d
> total 63996
> -rw------- 1 root root 14307328 Aug 13  2015
CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root  8802304 Jan 24 00:11
CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw------- 1 root root 20475904 Oct 20  2014
CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root 14610432 Jan 24 00:11
CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw------- 1 root root  4247552 Jan 24 22:57 DC\=HPRS,DC\=LOCAL.ldb
> -rw------- 1 root root  2658304 Jan 24 00:11 DC\=HPRS,DC\=LOCAL.ldb.bak
> -rw-r----- 1 root root   421888 Jan 24 20:53 metadata.tdb
> -rw-r----- 1 root root     8192 Jan 24 00:11 metadata.tdb.bak
>
> One thing noticable to me right off is that, while both versions have ldb
files in /etc/samba/private, with 4.4.8 there is an additional set in
/var/lib/samba/private. Why? Did
> 4.4.8 change the location of these files?
>
> But, it's not like 4.4.8 is using /var/lib/samba/private instead of
/etc/samba/private. You will notice that the sam.ldb* are updated in both places
with 4.4.8.
>
> I stop Samba just after midnight to do a backup, which is probably why all
the .bak timestamps at 00:1[01]. But why are the actual sam.ldb files still
dated for October 20, 2014 (when I first installed Samba4)? I know I've made
changes since then, such as msSFU30MaxGidNumber and msSFU30MaxGidNumber, and the
uidNumber and gidNumber for some users.
>
> Also, when I do `ldedit -H /etc/samba/private/sam.ldb` (and
/var/lib/samba/private/sam.ldb), user 'mark' is correctly set to:
>
> uidNumber: 10001
> gidNumber: 10000
>
> in both cases. So where is UID:GID 3000026:100 coming from when I do
getent?
>
> Confused, --Mark
>
> -----Original Message-----
> Date: Tue, 24 Jan 2017 21:35:09 -0500
> To: samba at lists.samba.org
> Subject: [Samba] getent problems with new Samba version
> From: Mark Foley via samba <samba at lists.samba.org>
>
> I have been running Samba4 as AD/DC for a mixed Windows/Linux office domain
for a little over 2
> 1/2 years now.  I've needed a few tweaks from Roland, but basically it
has run flawless during that time.
>
> 10 days ago, I upgrade to Slackware 14.2 from 14.1.  Samba was likewise
upgraded from version
> 4.2.14 to 4.4.8.  I'm having a serious problem ... 
>
> before the upgrade getent gave me:
>
> $ getent passwd mark
> HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
>
> which is correct. After the upgrade I get:
>
> $ getent passwd mark
> HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash
>
> In RSAT > Active Directory Users and Computers > [user] properties
> UNIX Attributes, this user's UID is shown as 10001 and Primary group is
"Domain Users" which is 10000. So, correct in RSAT.
>
> smb.conf is unchanged. 
>
> These UID/GID settings are similar to the defaults from when I installed
samba4 back in 2015!
> Why did these change? Why are they not reflecting what is shown in RSAT?
>
> This is a production office server and this issue is causing me a lot of
headaches with existing files owned by the user as UID/GID 10001:10000, but now
systems are trying to rw these files as 3000026:100. I'm getting permission
denied errors, esp. in IMAP folders.
>
> How can I fix this? Help! Urgent!
>
> THX --Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Thu, 26 Jan 2017 02:35:43 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> on Wed, 25 Jan 2017 20:15:49 -0500 Gaiseric Vandal wrote:
> 
> > Would "testparm -v" show you the path of all the files used
?  Are
> > there any idmap settings? 
> 
> Gaiseric, thanks for your response. the `testparm -v` gave me:
> 
> private dir = /var/lib/samba/private
> 
> So, I guess that means the sam.ldb in that directory is the one being
> used, not the one in /etc/samba/private.  That helps.  Thanks for
> that tip.  The newer Samba 4.4.8 must have somehow been smart enough
> to find the 4.2.12 sam.ldb in /etc/samba/private and copy it over to
> the new location because there was no /var/lib/samba/private with my
> 4.2.12, and the contents of both sam.ldb's is the same including
> changes I made. 
No, I would say it is dumb enough to try, just who thought it was a
good idea to do this ?

If you read the slackware file 'doinst.sh', there is this:

# Since /etc/samba/private/ has moved to /var/lib/samba/private, migrate any
# important files if possible:
if [ -d etc/samba/private -a -d var/lib/samba/private ]; then
  for file in etc/samba/private/* ; do
    if [ -r "$file" -a ! -r "var/lib/samba/private/$(basename
$file)" ]; then
      mv "$file" var/lib/samba/private
    fi
  done
  # Might as well try to eliminate this directory, since it should be empty:
  rmdir etc/samba/private 1> /dev/null 2> /dev/null
fi

Now on the face of it, this should work, but I cannot see anywhere that
Samba was stopped before moving the files. There is also the problem
that the paths do not start with '/'

I created a simple test script:

#!/bin/sh

if [ -d usr/local/samba ]; then
    echo "/usr/local/samba exists"
else
    echo "not found"
fi

exit 0

Made it executable and ran it and got 'not found'

Altered the test script by adding '/' to the front of the path and ran
the script again and got '/usr/local/samba exists'
> 
> > It looks like the newer version is using winbind to allocate uid's
> > (based on the high ID numbers.) Maybe because it does not see
uid's
> > already allocated. 
What does 'samba -b' show for 'PRIVATE_DIR' ?

> 
> /var/lib/samba/private/sam.ldb, /etc/samba/private/sam.ldb and
> RSAT/ADUC all show the "correct" UID:GIDs for users, for example
> 10001:10000. 
> 
> So, if Samba 4.4.8 "is using winbind to allocate uid's", how
can I
> make it stop that and use the ids actually configured in sam.ldb?
> That's the question, basically: why is windbind (or whatever)
> arbitrarily generating UID:GIDs instead of using the configured ids?
> You are likely right on this too.  As Rowland Penny wrote on
> 10/11/2015 17:15, "wbinfo goes straight to winbind, which goes to
> where you have told it to.  getent goes via nssswitch, ...". and
> wbinfo still returns:
When I said that, I meant how Samba was configured would tell winbind
where to look.

Have you tried checking in AD with ldbsearch or ldbedit for the actual
records ?

Rowland

On Thu, 26 Jan 2017 09:56:10 +0000 Rowland Penny wrote:
>
> On Thu, 26 Jan 2017 02:35:43 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > on Wed, 25 Jan 2017 20:15:49 -0500 Gaiseric Vandal wrote:
> > 
> > > Would "testparm -v" show you the path of all the files
used ?  Are
> > > there any idmap settings? 
> > 
> > Gaiseric, thanks for your response. the `testparm -v` gave me:
> > 
> > private dir = /var/lib/samba/private
> > 
> > So, I guess that means the sam.ldb in that directory is the one being
> > used, not the one in /etc/samba/private.  That helps.  Thanks for
> > that tip.  The newer Samba 4.4.8 must have somehow been smart enough
> > to find the 4.2.12 sam.ldb in /etc/samba/private and copy it over to
> > the new location because there was no /var/lib/samba/private with my
> > 4.2.12, and the contents of both sam.ldb's is the same including
> > changes I made. 
>
> No, I would say it is dumb enough to try, just who thought it was a
> good idea to do this ?
I can't imagine why they would change the location of a crucial directory
like this!!!
> If you read the slackware file 'doinst.sh', there is this:
>
> # Since /etc/samba/private/ has moved to /var/lib/samba/private, migrate
any
> # important files if possible:
Where is this file? I have no doinst.sh on my entire system, nor do I find it on
the Slackware
14.2 installation DVD.

I'm pretty sure I didn't copy this directory over. Come to think of it,
when I restarted with
the new version my DNS wasn't working (see next comment). I found that the
/etc/samba/private
folder was missing altogether. I restored that directory from backup and DNS
started working
again. So, either that doinst.sh script got run automatically somehow, or the
Samaba executable
knew to do this, and removed the /etc/samba/private directory.

After some testing, I will remove the old /etc/samba/private folder.  In
addition to .ldb
stuff, the original Samba provisioning step created (or advised?) a named.conf
file to include
the following line:

include "/etc/samba/private/named.conf";

wherein all the Samba DNS stuff was originally created.  I've modified my
/etc/named.conf to
now point to /var/lib/samba/private and will remove /etc/samba/private when
I'm sure of this.
This "change" affects a lot of stuff!! :(
> What does 'samba -b' show for 'PRIVATE_DIR' ?
$ samba -b
Samba version: 4.4.8
Build environment:
   Build host:  Linux hive64 4.4.38 #1 SMP Sun Dec 11 15:57:21 CST 2016 x86_64
AMD Phenom(tm)
II X6 1100T Processor AuthenticAMD GNU/Linux
Paths:
:
:
   PRIVATE_DIR: /var/lib/samba/private

Same as the `testparm -v` Gaiseric had me run.
> > /var/lib/samba/private/sam.ldb, /etc/samba/private/sam.ldb and
> > RSAT/ADUC all show the "correct" UID:GIDs for users, for
example
> > 10001:10000. 
> > 
> > So, if Samba 4.4.8 "is using winbind to allocate uid's",
how can I
> > make it stop that and use the ids actually configured in sam.ldb?
> > That's the question, basically: why is windbind (or whatever)
> > arbitrarily generating UID:GIDs instead of using the configured ids?
> > You are likely right on this too.  As Rowland Penny wrote on
> > 10/11/2015 17:15, "wbinfo goes straight to winbind, which goes to
> > where you have told it to.  getent goes via nssswitch, ...". and
> > wbinfo still returns:
>
> When I said that, I meant how Samba was configured would tell winbind
> where to look.
So, where is winbind looking?
> Have you tried checking in AD with ldbsearch or ldbedit for the actual
> records ?
Yes, I've done `ldbedit -H /var/lib/samba/private/sam.ldb` (and ldbsearch)
and among other
settings for user 'mark' I have:

uidNumber: 10001
gidNumber: 10000

winbind or whatever is simply not looking there.

Is there a solution?

--Mark