More experimentation ... I stopped Samaba, ldbedit'ed the /var/lib/samba/private/idmap.ldb and changed the line xidNumber: 3000026 to xidNumber: 10001 killed the cache and restarted Samba. As I hoped, the wbinfo now showed $ wbinfo -i mark HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash which was NOT the case in my message below after killing the cache. In that previous test I had to start winbindd at the command line to get the 10001 UID in there. I supposed it worked when I started winbindd at the command line because I used the -n (disable caching) switch, thus apparently, it did not use the cached 3000026 UID. A bit disconcerting was that the GID in the recent test was still 10000 instead of reverting to 100 (which is defined in idmap.ldb). Not sure why that didn't revert with no cache. My theory: when slackpkg installed Samba 4.4.8, it did all that directory moving as we've already discussed, but also probably DID NOT MOVE the /var/lib/samba/winbindd_cache.tdb file (a guess). With no cache, winbindd authenticated using idmap.ldb, which in the case of user 'mark' returned UID:GID 200026:100. User 'shay' was not in idmap.ldb and with no cache I have to assume winbindd got her information from sam.ldb, which was correct. Back when I changed all domain users from the 3000xx range to the 100xx range in sam.ldb, I probably should have also changed their corresponding settings in idmap.ldb based on objectSid, including changing the 'domain users' GID from 100 to 10000 -- do you agree? Some unanswered questions, perhaps you know the answer to ... How did my domain users get in idmap.ldb in the first place? If ADUC put them there when I created the account, why did ADUC not put user 'shay' in there? Given the above, is idmap.ldb necessary? Seems redundant with the information in sam.ldb and apparently overrides sam.ldb when settings conflict. In the meantime, I think my problem might be solved given the results of this last experiment to change user 'mark's xidNumber in imap.ldb. What think ye? --Mark -----Original Message----- Date: Fri, 27 Jan 2017 01:18:28 -0500 To: samba at lists.samba.org Subject: Re: [Samba] getent problems with new Samba version From: Mark Foley via samba <samba at lists.samba.org> Here's an interesting phenomenon. In order to get debug output from winbindd, I killed the one started by samba and ran it by hand as follows: $ /usr/sbin/winbindd -i -n --option='server role check:inhibit=yes' --debuglevel=5 I got the --option parameters from `ps ax`, i.e from the winbindd started by Samba. When I ran this way and then did `wbinfo -i mark` guess what? $ wbinfo -i mark HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash I got the right UID:GID. I then restarted samba and also got the correct UID:GID with wbinfo. Likewise with getent. I then stopped samba, killed off the cache: $ net cache flush $ rm /var/lib/samba/winbindd_cache.tdb and restarted samba, and the UID:GID were back to the bad ones: $ wbinfo -i mark HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash Once again, killing the samba-started winbindd and running by hand began giving the correct UID:GID, and continued to do so after restarting Samba (probably because that UID:GID is now in cache). Do you have any explanation for this? Any idea where to look to make Samba start [whatever] correctly? Any idea where it is getting the 3000026:100 info in the first place (if I could change it there it might never be wrong)? To this latter question, there is a file, /var/lib/samba/private/idmap.ldb, that has: objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111 xidNumber: 3000026 and this SID corresponds to the objectSid in /var/lib/samba/private/sam.ldb for the 'mark' user. What if I changed all the xidNumber's in idmap.ldb to the correct ones for the domain users? I'm thinking as I type ... The domain user that did continue working correctly after the upgrade was: $ wbinfo -i shay HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash This user was added within the past year with ADUC. This user exists in sam.ldb, but not in idmap.ldb. why? Is idmap.ldb not really necessary? Why are the other users in ldmap.ldb? I added them with ADUC as well. So, back in October 2015 when you advised me to renumber users from 30000xx to 100xx in sam.ldb, should I have also changed the xidNumber's in idmap.ldb? Too many questions for on email? --Mark -----Original Message----- Date: Thu, 26 Jan 2017 18:54:26 -0500 To: samba at lists.samba.org From: Mark Foley via samba <samba at lists.samba.org> Subject: Re: [Samba] getent problems with new Samba version On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Thu, 26 Jan 2017 16:26:02 -0500 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote: > > > > > Have you tried checking in AD with ldbsearch or ldbedit for the > > > > > actual records ? > > > > > > > > Yes, I've done `ldbedit -H /var/lib/samba/private/sam.ldb` (and > > > > ldbsearch) and among other settings for user 'mark' I have: > > > > > > > > uidNumber: 10001 > > > > gidNumber: 10000 > > > > > > Does 'Domain Users' have a gidNumber ? > > > > Yes, here is the entire section on that from ldbsearch. You can see > > the gidNumber is 10000: > >[deleted]> > > > The question remains, why is winbind not getting this info from > > sam.ldb? Everything appears to be in the right place. > > > > Can I turn on some debugging for winbind? Where is it started? > > > > --Mark > > > > add 'log level 3 winbind:10' to smb.conf >That doesn't seem to help. in smb.conf I've put log level = 3 winbind:10 All I see winbind related in the log.samba file is: AUTH backend 'winbind' registered AUTH backend 'winbind_wbclient' registered AUTH backend 'winbind' registered AUTH backend 'winbind_wbclient' registered AUTH backend 'winbind' registered AUTH backend 'winbind_wbclient' registered When I try `wbinfo -1 mark`, nothing new appears in the log --Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Fri, 27 Jan 2017 02:20:34 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> More experimentation ... > > I stopped Samaba, ldbedit'ed the /var/lib/samba/private/idmap.ldb and > changed the line > > xidNumber: 3000026 > > to > > xidNumber: 10001 > > killed the cache and restarted Samba. As I hoped, the wbinfo now > showed > > $ wbinfo -i mark > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > which was NOT the case in my message below after killing the cache. > In that previous test I had to start winbindd at the command line to > get the 10001 UID in there. I supposed it worked when I started > winbindd at the command line because I used the -n (disable caching) > switch, thus apparently, it did not use the cached 3000026 UID. > > A bit disconcerting was that the GID in the recent test was still > 10000 instead of reverting to 100 (which is defined in idmap.ldb). > Not sure why that didn't revert with no cache. > > My theory: when slackpkg installed Samba 4.4.8, it did all that > directory moving as we've already discussed, but also probably DID > NOT MOVE the /var/lib/samba/winbindd_cache.tdb file (a guess). With > no cache, winbindd authenticated using idmap.ldb, which in the case > of user 'mark' returned UID:GID 200026:100. > > User 'shay' was not in idmap.ldb and with no cache I have to assume > winbindd got her information from sam.ldb, which was correct. > > Back when I changed all domain users from the 3000xx range to the > 100xx range in sam.ldb, I probably should have also changed their > corresponding settings in idmap.ldb based on objectSid, including > changing the 'domain users' GID from 100 to 10000 -- do you agree? > > Some unanswered questions, perhaps you know the answer to ... > > How did my domain users get in idmap.ldb in the first place? If ADUC > put them there when I created the account, why did ADUC not put user > 'shay' in there? > > Given the above, is idmap.ldb necessary? Seems redundant with the > information in sam.ldb and apparently overrides sam.ldb when settings > conflict. > > In the meantime, I think my problem might be solved given the results > of this last experiment to change user 'mark's xidNumber in imap.ldb. > > What think ye? > > --Mark > > -----Original Message----- > Date: Fri, 27 Jan 2017 01:18:28 -0500 > To: samba at lists.samba.org > Subject: Re: [Samba] getent problems with new Samba version > From: Mark Foley via samba <samba at lists.samba.org> > > Here's an interesting phenomenon. In order to get debug output from > winbindd, I killed the one started by samba and ran it by hand as > follows: > > $ /usr/sbin/winbindd -i -n --option='server role check:inhibit=yes' > --debuglevel=5 > > I got the --option parameters from `ps ax`, i.e from the winbindd > started by Samba. When I ran this way and then did `wbinfo -i mark` > guess what? > > $ wbinfo -i mark > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > I got the right UID:GID. I then restarted samba and also got the > correct UID:GID with wbinfo. Likewise with getent. I then stopped > samba, killed off the cache: > > $ net cache flush > $ rm /var/lib/samba/winbindd_cache.tdb > > and restarted samba, and the UID:GID were back to the bad ones: > > $ wbinfo -i mark > HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash > > Once again, killing the samba-started winbindd and running by hand > began giving the correct UID:GID, and continued to do so after > restarting Samba (probably because that UID:GID is now in cache). > > Do you have any explanation for this? > > Any idea where to look to make Samba start [whatever] correctly? > > Any idea where it is getting the 3000026:100 info in the first place > (if I could change it there it might never be wrong)? > > To this latter question, there is a > file, /var/lib/samba/private/idmap.ldb, that has: > > objectSid: S-1-5-21-1052267278-1962196458-4119365663-1111 > xidNumber: 3000026 > > and this SID corresponds to the objectSid > in /var/lib/samba/private/sam.ldb for the 'mark' user. What if I > changed all the xidNumber's in idmap.ldb to the correct ones for the > domain users? > > I'm thinking as I type ... > > The domain user that did continue working correctly after the upgrade > was: > > $ wbinfo -i shay > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash > > This user was added within the past year with ADUC. This user exists > in sam.ldb, but not in idmap.ldb. why? Is idmap.ldb not really > necessary? Why are the other users in ldmap.ldb? I added them with > ADUC as well. > > So, back in October 2015 when you advised me to renumber users from > 30000xx to 100xx in sam.ldb, should I have also changed the > xidNumber's in idmap.ldb? > > Too many questions for on email? > > --Mark > > -----Original Message----- > Date: Thu, 26 Jan 2017 18:54:26 -0500 > To: samba at lists.samba.org > From: Mark Foley via samba <samba at lists.samba.org> > Subject: Re: [Samba] getent problems with new Samba version > > On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > On Thu, 26 Jan 2017 16:26:02 -0500 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote: > > > > > > Have you tried checking in AD with ldbsearch or ldbedit for > > > > > > the actual records ? > > > > > > > > > > Yes, I've done `ldbedit -H /var/lib/samba/private/sam.ldb` > > > > > (and ldbsearch) and among other settings for user 'mark' I > > > > > have: > > > > > > > > > > uidNumber: 10001 > > > > > gidNumber: 10000 > > > > > > > > Does 'Domain Users' have a gidNumber ? > > > > > > Yes, here is the entire section on that from ldbsearch. You can > > > see the gidNumber is 10000: > > > > [deleted] > > > > > > The question remains, why is winbind not getting this info from > > > sam.ldb? Everything appears to be in the right place. > > > > > > Can I turn on some debugging for winbind? Where is it started? > > > > > > --Mark > > > > > > > add 'log level 3 winbind:10' to smb.conf > > > > That doesn't seem to help. in smb.conf I've put > > log level = 3 winbind:10 > > All I see winbind related in the log.samba file is: > > AUTH backend 'winbind' registered > AUTH backend 'winbind_wbclient' registered > AUTH backend 'winbind' registered > AUTH backend 'winbind_wbclient' registered > AUTH backend 'winbind' registered > AUTH backend 'winbind_wbclient' registered > > When I try `wbinfo -1 mark`, nothing new appears in the log > > --Mark > >Can you post the script that slackware is using to start Samba and can you also check if you have more than one 'samba' binary. I have downloaded the slackware 14.2 DVD and I cannot find the 'doinst.sh' script, but mind you, I cannot find samba either. I think you must have upgraded Samba via the slackware package manager. Rowland
On Fri, 27 Jan 2017 09:36:24 +0000 Rowland Penny wrote:> Can you post the script that slackware is using to start Samba and can > you also check if you have more than one 'samba' binary.Binary: $ find / -mount -type f -name samba -exec ls -l \{\} \; -rwxr-xr-x 1 root root 72720 2016-12-28 14:25 /usr/sbin/samba Doubtful an older binary would work. Previously I tried restoring the older 4.2.14 winbindd to see if that would work better and it failed to run missing an .so file. Start Script - this is actually the same start script as before the 14.2 upgrade. Either there was no rc.samba.new, or I deleted it after the Samba upgrade: #!/bin/sh # # /etc/rc.d/rc.samba # # Start/stop/restart the Samba4 Domain Controller - JMF 20140723 # # To make Samba start automatically at boot, make this # file executable: chmod 755 /etc/rc.d/rc.samba # samba_start() { if [ -x /usr/sbin/samba -a -r /etc/samba/smb.conf ]; then echo "Starting Samba: /usr/sbin/samba" /usr/sbin/samba fi } samba_stop() { echo "Stopping Samba" killall samba } samba_restart() { samba_stop sleep 2 samba_start } case "$1" in 'start') samba_start ;; 'stop') samba_stop ;; 'restart') samba_restart ;; *) # Default is "start", for backwards compatibility with previous # Slackware versions. This may change to a 'usage' error someday. samba_start esac> I have downloaded the slackware 14.2 DVD and I cannot find the > 'doinst.sh' script, but mind you, I cannot find samba either. I think > you must have upgraded Samba via the slackware package manager.Yes I did, but when I first installed Slackware 14.1 from that DVD back in 2014 it certainly had Samba 4.0.x as I used that to provision my AD/DC -- I did not do a separate download from either Samba.org or Slackbuilds -- and, unlike Ubuntu and Debian (from the same era), it worked out-of-the box. I've been updating Samba quarterly since then. Also, I do find samba on the 14.2 DVD in slackware64/n/samba-4.4.4-x86_64-3.txz. See PACKAGES.TXT at the root of the same DVD. In this email, I've removed all the testing and discussion bits from this thread, but I'll insert my final questions from the previous message in case you have some theories or can otherwise correct my misconceptions: Some unanswered questions, perhaps you know the answer to ... How did my domain users get in idmap.ldb in the first place? If ADUC put them there when I created the account, why did ADUC not put user 'shay' in there? Given the above, is idmap.ldb necessary? Seems redundant with the information in sam.ldb and apparently overrides sam.ldb when settings conflict. In the meantime, I think my problem might be solved given the results of this last experiment to change user 'mark's xidNumber in imap.ldb. THX --Mark