samba - Sep 2017 - Resolving inconsistant on DC with AD backend. GID 100 and 10000

Small update. 

And changed the subject, was : [Samba] Domain member server: user access . 

My last test was done with 4.6.7.
Now upgraded a DC to 4.6.8 ( and last result in 4.6.7 was 10000 ) 

root at rtd-dc1:~# wbinfo -G 100
S-1-5-21-2934682428-2610421433-476865461-513

root at rtd-dc1:~# wbinfo -G 10000
S-1-5-21-2934682428-2610421433-476865461-513

root at rtd-dc1:~# wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

net cache flush
NTDOM\domain users:x:10000

Repeat above step. 
wbinfo -G 100
S-1-5-21-2934682428-2610421433-476865461-513
 wbinfo -G 10000
S-1-5-21-2934682428-2610421433-476865461-513

 wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

And wrong again..

net cache flush
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000

Lets repeat it again. 
Well, you can repeat this endless..  

Now what i found here is. 
If you run : 
1) wbinfo -G 100 
Results in 

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

2) wbinfo -G 10000
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

After 1 and 2 you must use net cache flush. 

3) I you dont run : wbinfo -G 100 
( and start with net cache flush ) 
The wbinfo -G 10000 and wbinfo --group-info="Domain Users" stay the
same and correct.

If you run once : wbinfo -G 100 
Its incorrect again and you need net cache flush again. 

So 4.6.7 and 4.6.8 show same results and reproducable. 

If this is not by design, then its a bug and we should report it. 
Thoughts? 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: dinsdag 26 september 2017 15:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member server: user access
> 
> Hai, 
> > 
> 
> > I think you are misunderstanding what I wrote ;-)
> Thats possible yes..  Lucky you better in explaining then me 
> in english.  ;-) 
> 
> > 
> > If you open 'idmap.ldb' and search for 513 (Domain Users RID),
you
> > will
> > find:
> > 
> > dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> > cn: S-1-5-21-1768301897-3342589593-1064908849-513
> > objectClass: sidMap
> > objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
> > type: ID_TYPE_GID
> > xidNumber: 100
> > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> >  
> > As you can see 'Domain Users' is mapped to the Unix group 
> '100' and if 
> > you look in /etc/group and search for '100', you will find
this:
> > 
> > users:x:100:
> > 
> > This means that the Windows group is mapped to the Unix 
> group 'users'
> > on a DC, up until you give Domain Users a gidNumber, then 
> the ID will 
> > change to the one you placed in the gidNumber attribute in Domain 
> > Users.
> 
> Aahhh.. Ok, it changes after you set gid.. Thats a good one 
> to remember. 
> 
> > 
> > > Ok, i did read somewhere that
> > > Samba uses S-1-22-1 for users and S1-22-2 for groups. 
> > 
> > Any idea where ?
> Yes,
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/Ch
> angeNotes.html
> (Unmapped users are now assigned a SID in the S-1-22-1 domain 
> and unmapped groups are assigned a SID in the S-1-22-2 
> domain) https://www.samba.org/samba/history/samba-3.0.23c.html
> 
> This was one that lead me to the 2 above links. 
> https://stackoverflow.com/questions/31109871/mapping-sambas-s-
> 1-22-12-sid-into-names
> 
> > 
> > > 
> > > wbinfo -G 100
> > > S-1-5-21-3821322978-3959480180-962995944-513
> > > 
> > > wbinfo -G 10000
> > > S-1-22-2-10000
> > > 
> > > S1-22-2-10000 Is the unix group with uid 10000 ( with is 
> also in my 
> > > case "Domain Users" ) But how this maps again in samba,
> > that i really
> > > dont know.
> > > 
> > > Arg, very confusion all.. 
> > 
> > Even more confusion:
> > 
> > On my DC:
> > 
> > wbinfo -G 100
> > S-1-5-21-1768301897-3342589593-1064908849-513
> > 
> > wbinfo -G 10000
> > S-1-5-21-1768301897-3342589593-1064908849-513
> > 
> > I have also compiled 4.7.0 and set it up as a test and I cannot see 
> > any difference between the way 4.6.7 and 4.7.0 works on a DC i.e. 
> > '100'
> > becomes '10000' after I run 'net cache flush'
> > 
> > Rowland
> > 
> 
> And... To make it even more confusion.. 
> 
> Now.. I have the same results again. 
> So,.. Domain users is mapped to GID 100, if you set GID 
> yourself (my setup backend AD), and it uses the default 10000 
> from start of my setup. ( about 2-3 years ago ) 
> 
> wbinfo -G 100
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> So why am i seeing 100 here and not 10000.
> I know for 100% sure this was 10000
> So i did run : net cache flush again. 
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000
> 
> And its back to normal again. Wowhoo. 
> 
> Maybe its wize to always run : net cache flush After a samba 
> upgrade, Thoughts ? 
> 
> ... Ok, now i ssh just to my DC2. 
> To make it even strangere, on exact same server as DC1. 
> 
> And the commands run. ( exactly ) 
> 
> ssh dc2
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> So looks good...  ( you think ) 
> 
> wbinfo -G 100  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> Now the wbinfo again ....  
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> And HUH... 100 ??  But it was 10000. 
> Now, if this isnt a bug i dont know. 
> 
> And now : 
> net cache flush
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> And its bad to normal, but im questioning ... For how long....  
> 
> So IMHO, very inconistant results. 
> 
> So any more thoughts about this? 
> 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 26 Sep 2017 15:57:03 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> Small update. 
> 
> And changed the subject, was : [Samba] Domain member server: user
> access . 
> 
> > wbinfo -G 100  Still ok..
> > S-1-5-21-2934682428-2610421433-476865461-513
> > 
> > wbinfo -G 10000  Still ok..
> > S-1-5-21-2934682428-2610421433-476865461-513
> > 
> > Now the wbinfo again ....  
> > 
> > wbinfo --group-info="Domain Users"
> > NTDOM\domain users:x:100
> > 
> > And HUH... 100 ??  But it was 10000. 
> > Now, if this isnt a bug i dont know. 
> > 
> > And now : 
> > net cache flush
> > wbinfo --group-info="Domain Users"
> > NTDOM\domain users:x:10000  
> > 
> > And its bad to normal, but im questioning ... For how long....  
> > 
> > So IMHO, very inconistant results. 
> > 
> > So any more thoughts about this? 
> > 
OK, that's me over there, waving the white flag ;-)

You are correct, running 'wbinfo -G 100' on a DC, resets Domain Users
GID to '100' and a subsequent 'getent group Domain\ Users' will
show:

SAMDOM\domain users:x:100:

You need to run 'net cache flush' to fix it.

Do you have a bugzilla account, or should I report it ?

Rowland

Hai, 

If you can, yes, please. 

Post the number in this mail subject, then its more easy to track. 
Im installing new mail server atm, so this is all inbetween other things.
And im getting but due..   So need to hurry up a bit. 

Thanks!!! 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 26 september 2017 16:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Resolving inconsistant on DC with AD 
> backend. GID 100 and 10000
> 
> On Tue, 26 Sep 2017 15:57:03 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > 
> > Small update. 
> > 
> > And changed the subject, was : [Samba] Domain member server: user 
> > access .
> > 
> > > wbinfo -G 100  Still ok..
> > > S-1-5-21-2934682428-2610421433-476865461-513
> > > 
> > > wbinfo -G 10000  Still ok..
> > > S-1-5-21-2934682428-2610421433-476865461-513
> > > 
> > > Now the wbinfo again ....  
> > > 
> > > wbinfo --group-info="Domain Users"
> > > NTDOM\domain users:x:100
> > > 
> > > And HUH... 100 ??  But it was 10000. 
> > > Now, if this isnt a bug i dont know. 
> > > 
> > > And now : 
> > > net cache flush
> > > wbinfo --group-info="Domain Users"
> > > NTDOM\domain users:x:10000
> > > 
> > > And its bad to normal, but im questioning ... For how long....  
> > > 
> > > So IMHO, very inconistant results. 
> > > 
> > > So any more thoughts about this? 
> > > 
> 
> OK, that's me over there, waving the white flag ;-)
> 
> You are correct, running 'wbinfo -G 100' on a DC, resets 
> Domain Users GID to '100' and a subsequent 'getent group 
> Domain\ Users' will show:
> 
> SAMDOM\domain users:x:100:
> 
> You need to run 'net cache flush' to fix it.
> 
> Do you have a bugzilla account, or should I report it ?
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 26 Sep 2017 16:17:12 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> If you can, yes, please. 
> 
> Post the number in this mail subject, then its more easy to track. 
> Im installing new mail server atm, so this is all inbetween other
> things. And im getting but due..   So need to hurry up a bit. 
> 
OK, bug reported:
https://bugzilla.samba.org/show_bug.cgi?id=13054

Rowland