samba - Jan 2017 - getent problems with new Samba version

On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On Thu, 26 Jan 2017 16:26:02 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote:
> > > > > Have you tried checking in AD with ldbsearch or ldbedit
for the
> > > > > actual records ?
> > > > 
> > > > Yes, I've done `ldbedit -H
/var/lib/samba/private/sam.ldb` (and
> > > > ldbsearch) and among other settings for user 'mark'
I have:
> > > > 
> > > > uidNumber: 10001
> > > > gidNumber: 10000
> > >
> > > Does 'Domain Users' have a gidNumber ?
> > 
> > Yes, here is the entire section on that from ldbsearch. You can see
> > the gidNumber is 10000:
> > 
[deleted]
> > 
> > The question remains, why is winbind not getting this info from
> > sam.ldb? Everything appears to be in the right place.
> > 
> > Can I turn on some debugging for winbind? Where is it started?
> > 
> > --Mark
> > 
>
> add 'log level 3 winbind:10' to smb.conf
>
That doesn't seem to help. in smb.conf I've put

log level = 3 winbind:10

All I see winbind related in the log.samba file is:

  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered

When I try `wbinfo -1 mark`, nothing new appears in the log

--Mark

Here's an interesting phenomenon. In order to get debug output from
winbindd, I killed the one
started by samba and ran it by hand as follows:

$ /usr/sbin/winbindd -i -n --option='server role check:inhibit=yes'
--debuglevel=5

I got the --option parameters from `ps ax`, i.e from the winbindd started by
Samba.  When I ran
this way and then did `wbinfo -i mark` guess what?

$ wbinfo -i mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

I got the right UID:GID.  I then restarted samba and also got the correct
UID:GID with wbinfo.
Likewise with getent.  I then stopped samba, killed off the cache:

$ net cache flush
$ rm /var/lib/samba/winbindd_cache.tdb

and restarted samba, and the UID:GID were back to the bad ones:

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

Once again, killing the samba-started winbindd and running by hand began giving
the correct
UID:GID, and continued to do so after restarting Samba (probably because that
UID:GID is now in
cache). 

Do you have any explanation for this? 

Any idea where to look to make Samba start [whatever] correctly?

Any idea where it is getting the 3000026:100 info in the first place (if I could
change it
there it might never be wrong)?

To this latter question, there is a file, /var/lib/samba/private/idmap.ldb, that
has:

objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
xidNumber: 3000026

and this SID corresponds to the objectSid in /var/lib/samba/private/sam.ldb for
the 'mark'
user. What if I changed all the xidNumber's in idmap.ldb to the correct ones
for the domain
users? 

I'm thinking as I type ...

The domain user that did continue working correctly after the upgrade was:

$ wbinfo -i shay
HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash

This user was added within the past year with ADUC. This user exists in sam.ldb,
but not in
idmap.ldb. why? Is idmap.ldb not really necessary? Why are the other users in
ldmap.ldb? I
added them with ADUC as well.

So, back in October 2015 when you advised me to renumber users from 30000xx to
100xx in
sam.ldb, should I have also changed the xidNumber's in idmap.ldb?

Too many questions for on email?

--Mark

-----Original Message-----
Date: Thu, 26 Jan 2017 18:54:26 -0500
To: samba at lists.samba.org
From: Mark Foley via samba <samba at lists.samba.org>
Subject: Re: [Samba] getent problems with new Samba version

On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On Thu, 26 Jan 2017 16:26:02 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote:
> > > > > Have you tried checking in AD with ldbsearch or ldbedit
for the
> > > > > actual records ?
> > > > 
> > > > Yes, I've done `ldbedit -H
/var/lib/samba/private/sam.ldb` (and
> > > > ldbsearch) and among other settings for user 'mark'
I have:
> > > > 
> > > > uidNumber: 10001
> > > > gidNumber: 10000
> > >
> > > Does 'Domain Users' have a gidNumber ?
> > 
> > Yes, here is the entire section on that from ldbsearch. You can see
> > the gidNumber is 10000:
> > 
[deleted]
> > 
> > The question remains, why is winbind not getting this info from
> > sam.ldb? Everything appears to be in the right place.
> > 
> > Can I turn on some debugging for winbind? Where is it started?
> > 
> > --Mark
> > 
>
> add 'log level 3 winbind:10' to smb.conf
>
That doesn't seem to help. in smb.conf I've put

log level = 3 winbind:10

All I see winbind related in the log.samba file is:

  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered

When I try `wbinfo -1 mark`, nothing new appears in the log

--Mark


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More experimentation ...

I stopped Samaba, ldbedit'ed the /var/lib/samba/private/idmap.ldb and
changed the line

xidNumber: 3000026

to 

xidNumber: 10001

killed the cache and restarted Samba. As I hoped, the wbinfo now showed

$ wbinfo -i mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

which was NOT the case in my message below after killing the cache.  In that
previous test I
had to start winbindd at the command line to get the 10001 UID in there.  I
supposed it worked when I
started winbindd at the command line because I used the -n (disable caching)
switch, thus
apparently, it did not use the cached 3000026 UID.

A bit disconcerting was that the GID in the recent test was still 10000 instead
of reverting to
100 (which is defined in idmap.ldb).  Not sure why that didn't revert with
no cache.

My theory: when slackpkg installed Samba 4.4.8, it did all that directory moving
as we've
already discussed, but also probably DID NOT MOVE the
/var/lib/samba/winbindd_cache.tdb file (a
guess). With no cache, winbindd authenticated using idmap.ldb, which in the case
of user 'mark'
returned UID:GID 200026:100. 

User 'shay' was not in idmap.ldb and with no cache I have to assume
winbindd got her
information from sam.ldb, which was correct.

Back when I changed all domain users from the 3000xx range to the 100xx range in
sam.ldb, I
probably should have also changed their corresponding settings in idmap.ldb
based on objectSid,
including changing the 'domain users' GID from 100 to 10000 -- do you
agree?

Some unanswered questions, perhaps you know the answer to ...

How did my domain users get in idmap.ldb in the first place? If ADUC put them
there when I
created the account, why did ADUC not put user 'shay' in there?

Given the above, is idmap.ldb necessary? Seems redundant with the information in
sam.ldb and
apparently overrides sam.ldb when settings conflict.

In the meantime, I think my problem might be solved given the results of this
last experiment
to change user 'mark's xidNumber in imap.ldb.

What think ye?

--Mark

-----Original Message-----
Date: Fri, 27 Jan 2017 01:18:28 -0500
To: samba at lists.samba.org
Subject: Re: [Samba] getent problems with new Samba version
From: Mark Foley via samba <samba at lists.samba.org>

Here's an interesting phenomenon. In order to get debug output from
winbindd, I killed the one
started by samba and ran it by hand as follows:

$ /usr/sbin/winbindd -i -n --option='server role check:inhibit=yes'
--debuglevel=5

I got the --option parameters from `ps ax`, i.e from the winbindd started by
Samba.  When I ran
this way and then did `wbinfo -i mark` guess what?

$ wbinfo -i mark
HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

I got the right UID:GID.  I then restarted samba and also got the correct
UID:GID with wbinfo.
Likewise with getent.  I then stopped samba, killed off the cache:

$ net cache flush
$ rm /var/lib/samba/winbindd_cache.tdb

and restarted samba, and the UID:GID were back to the bad ones:

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

Once again, killing the samba-started winbindd and running by hand began giving
the correct
UID:GID, and continued to do so after restarting Samba (probably because that
UID:GID is now in
cache). 

Do you have any explanation for this? 

Any idea where to look to make Samba start [whatever] correctly?

Any idea where it is getting the 3000026:100 info in the first place (if I could
change it
there it might never be wrong)?

To this latter question, there is a file, /var/lib/samba/private/idmap.ldb, that
has:

objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111
xidNumber: 3000026

and this SID corresponds to the objectSid in /var/lib/samba/private/sam.ldb for
the 'mark'
user. What if I changed all the xidNumber's in idmap.ldb to the correct ones
for the domain
users? 

I'm thinking as I type ...

The domain user that did continue working correctly after the upgrade was:

$ wbinfo -i shay
HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash

This user was added within the past year with ADUC. This user exists in sam.ldb,
but not in
idmap.ldb. why? Is idmap.ldb not really necessary? Why are the other users in
ldmap.ldb? I
added them with ADUC as well.

So, back in October 2015 when you advised me to renumber users from 30000xx to
100xx in
sam.ldb, should I have also changed the xidNumber's in idmap.ldb?

Too many questions for on email?

--Mark

-----Original Message-----
Date: Thu, 26 Jan 2017 18:54:26 -0500
To: samba at lists.samba.org
From: Mark Foley via samba <samba at lists.samba.org>
Subject: Re: [Samba] getent problems with new Samba version

On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On Thu, 26 Jan 2017 16:26:02 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote:
> > > > > Have you tried checking in AD with ldbsearch or ldbedit
for the
> > > > > actual records ?
> > > > 
> > > > Yes, I've done `ldbedit -H
/var/lib/samba/private/sam.ldb` (and
> > > > ldbsearch) and among other settings for user 'mark'
I have:
> > > > 
> > > > uidNumber: 10001
> > > > gidNumber: 10000
> > >
> > > Does 'Domain Users' have a gidNumber ?
> > 
> > Yes, here is the entire section on that from ldbsearch. You can see
> > the gidNumber is 10000:
> > 
[deleted]
> > 
> > The question remains, why is winbind not getting this info from
> > sam.ldb? Everything appears to be in the right place.
> > 
> > Can I turn on some debugging for winbind? Where is it started?
> > 
> > --Mark
> > 
>
> add 'log level 3 winbind:10' to smb.conf
>
That doesn't seem to help. in smb.conf I've put

log level = 3 winbind:10

All I see winbind related in the log.samba file is:

  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered
  AUTH backend 'winbind' registered
  AUTH backend 'winbind_wbclient' registered

When I try `wbinfo -1 mark`, nothing new appears in the log

--Mark


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba