Back on February 28, 2018, I started a thread "User permissions of profile/home directory lost" describing a problem occurring with my wife's user account. Since that time the random problem has persisted so I turned on some debugging. I have been able to determine that somehow her account idmap is broken. Here is the entry for my wife's SID as found in the idmap.ldb file (all subsequent data has been sanitized): root at nikita> wbinfo -n mywife S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1) # record 27 dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143 cn: S-1-5-21-729452656-3029571206-2736118167-1143 objectClass: sidMap objectSid: S-1-5-21-729452656-3029571206-2736118167-1143 type: ID_TYPE_BOTH xidNumber: 3000062 distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143 Please note that the xidNumber is 3000062. Here is the entry for my wife's user account in the sam.ldb file: # record 277 dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com sn: Wife c: US l: Somewhere st: A State postalCode: givenName: Sharon instanceType: 4 whenCreated: 20141220195750.0Z uSNCreated: 5115 co: United States company: MyHome! objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564 badPwdCount: 0 codePage: 0 countryCode: 840 homeDirectory: \\mydom\home\mywife homeDrive: H: badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-729452656-3029571206-2736118167-1143 accountExpires: 9223372036854775807 sAMAccountName: mywife sAMAccountType: 805306368 userPrincipalName: mywife at mydom.mydc.com userAccountControl: 66048 memberOf: CN=Roaming Profiles and Folder Redirection Users,OU=MyDomOU,DC=mydo m,DC=mydc,DC=com cn: My Wife name: My Wife streetAddress: 999 Street initials: displayName: My Wife gidNumber: 3000513 lockoutTime: 0 loginShell: /bin/bash mail: mywife at mydc.com mobile: msDS-SupportedEncryptionTypes: 0 telephoneNumber: title: The Bigger Boss uidNumber: 3001108 unixHomeDirectory: /home/mywife objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydom,DC=mydc,DC=co m profilePath: \\mydom\home\Profiles\sln-11868bg pwdLastSet: 131111097150000000 msSFU30NisDomain: mydom msSFU30Name: mywife unixUserPassword: ABCD!efgh12345$67890 uid: mywife lastLogonTimestamp: 131672869851028400 whenChanged: 20180404034305.0Z uSNChanged: 7165 lastLogon: 131674502053144830 logonCount: 134145 distinguishedName: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com Note that the uidNumber is 3001108. Intermittently the Samba AD loses the uidNumber somehow. Instead of this: >getent passwd mywife MYDOM\mywife:*:3001108::3000513:My Wife:/home/mywife:/bin/bash I get this: >getent passwd mywife MYDOM\mywife:*:3000062::3000513:My Wife:/home/mywife:/bin/bash At this point all my wife's files are no longer owned by her. Note that the "incorrect" uidNumber corresponds to the xidNumber in the idmap.ldb database. I had turned on some logging and the winbindd.log shows these messages (I snipped lots of repeating stuff) [2018/04/05 07:29:03.938389, 3] ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send) getpwuid 3001108 [2018/04/05 07:29:03.945379, 3] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) [ 1212]: request interface version (version = 29) [2018/04/05 07:29:03.945435, 3] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) [ 1212]: request location of privileged pipe [2018/04/05 07:29:03.945532, 3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam MYDOM\mywife <snipping stuff> <see lots of this next one> [2018/04/05 07:37:13.307216, 5] ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv) Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED <snipping stuff> 2018/04/05 07:41:11.697582, 3] ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send) getpwuid 3000062 [2018/04/05 07:41:11.701723, 3] ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send) getgrgid 3000513 [2018/04/05 07:41:11.705707, 3] ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send) getpwuid 3000062 [2018/04/05 07:41:11.709763, 3] ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send) getgrgid 3000513 [2018/04/05 07:41:11.873940, 3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam mywife [2018/04/05 07:41:11.883785, 3] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) [ 5905]: request interface version (version = 29) [2018/04/05 07:41:11.883841, 3] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) [ 5905]: request location of privileged pipe [2018/04/05 07:41:11.883930, 3] ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) getgroups MYDOM\mywife <snipping stuff> [2018/04/05 18:52:03.772521, 3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam mywife [2018/04/05 18:52:06.562820, 3] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) [27682]: request interface version (version = 29) [2018/04/05 18:52:06.562899, 3] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) [27682]: request location of privileged pipe [2018/04/05 18:52:06.562997, 3] ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send) getpwuid 3001108 [2018/04/05 18:52:06.567294, 5] ../source3/winbindd/winbindd_getpwuid.c:111(winbindd_getpwuid_recv) Could not convert sid S-1-22-1-3001108: STATUS_SOME_UNMAPPED Here is the AD smb.conf # Global parameters [global] server string = Nurdog Active Directory Server workgroup = MYDOM realm = MYDOM.MYDC.COM server role = active directory domain controller server services = -dns bind interfaces only = yes interfaces = br0 lo kerberos method = secrets and keytab winbind use default domain = yes winbind offline logon = false winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 template homedir = /home/%U template shell = /bin/bash log file = /var/log/samba/%m.log max log size = 10000 log level = 3 auth:5 winbind:5 [netlogon] path = /var/lib/samba/sysvol/myhome.nurdog.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [Profiles] path = /home/Profiles/ read only = No [home] path = /home read only = No Some more useful data. The problem seems correlated to when my wife logs into her user account on a Windows 10 box. That happened around 7:38AM this morning and at approximately 7:41AM her identity problems began. If I go and chown on her files everything will reset to her uid 3001108. As long as she is logged in when I do this everything will be okay until she logs out and back in and then it will occur again. Can somebody point me in a direction to debug this issue? What on the windows 10 client could possibly cause the AD to change my wife's account from the uidNumber 3001108 in the AD database to the idmap xidNumber 3000062? Why would there be a sid S-1-22-1-3001108 which supiciously has the uidNumber 3001108? And should I worry about the sid S-0-0 that cannot be mapped? I am wondering if the latest version of Samba 4.7.6 is now confused by my use of the xidNumbers as uidNumbers. I never saw this problem with 4.7.5 or lower versions. Although it is very strange that only my wife's account has this problem when she logs in. My account is fine... no issues at all. Finally should I just bite the bullet and delete my wife's account, remove any remnants to it in the databases, and then recreate it? I would use a more reasonable uidNumber range of say 10000 to 20000 and then just chown all of our files. I need to fix this problem as my wife's email starts to bounce when this occurs since dovecot cannot write to her files since they are owned by 3001108 and the system thinks her uid is 3000062. She is not very pleased at the moment. Thanks for any help/advice. -- Paul (ganci at nurdog.com) Cell: (303)257-5208
On 04/05/2018 08:29 PM, Paul R. Ganci via samba wrote:> Back on February 28, 2018, I started a thread "User permissions of > profile/home directory lost" describing a problem occurring with my > wife's user account. Since that time the random problem has persisted > so I turned on some debugging. I have been able to determine that > somehow her account idmap is broken. Here is the entry for my wife's > SID as found in the idmap.ldb file (all subsequent data has been > sanitized): > > root at nikita> wbinfo -n mywife > S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1) > > # record 27 > dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143 > cn: S-1-5-21-729452656-3029571206-2736118167-1143 > objectClass: sidMap > objectSid: S-1-5-21-729452656-3029571206-2736118167-1143 > type: ID_TYPE_BOTH > xidNumber: 3000062 > distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143 > > Please note that the xidNumber is 3000062. > > Here is the entry for my wife's user account in the sam.ldb file: > > # record 277 > dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com > sn: Wife > c: US > l: Somewhere > st: A State > postalCode: > givenName: Sharon > instanceType: 4 > whenCreated: 20141220195750.0Z > uSNCreated: 5115 > co: United States > company: MyHome! > objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564 > badPwdCount: 0 > codePage: 0 > countryCode: 840 > homeDirectory: \\mydom\home\mywife > homeDrive: H: > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-729452656-3029571206-2736118167-1143 > accountExpires: 9223372036854775807 > sAMAccountName: mywife > sAMAccountType: 805306368 > userPrincipalName: mywife at mydom.mydc.com > userAccountControl: 66048 > memberOf: CN=Roaming Profiles and Folder Redirection > Users,OU=MyDomOU,DC=mydo > m,DC=mydc,DC=com > cn: My Wife > name: My Wife > streetAddress: 999 Street > initials: > displayName: My Wife > gidNumber: 3000513 > lockoutTime: 0 > loginShell: /bin/bash > mail: mywife at mydc.com > mobile: > msDS-SupportedEncryptionTypes: 0 > telephoneNumber: > title: The Bigger Boss > uidNumber: 3001108 > unixHomeDirectory: /home/mywife > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=mydom,DC=mydc,DC=co > m > profilePath: \\mydom\home\Profiles\sln-11868bg > pwdLastSet: 131111097150000000 > msSFU30NisDomain: mydom > msSFU30Name: mywife > unixUserPassword: ABCD!efgh12345$67890 > uid: mywife > lastLogonTimestamp: 131672869851028400 > whenChanged: 20180404034305.0Z > uSNChanged: 7165 > lastLogon: 131674502053144830 > logonCount: 134145 > distinguishedName: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com > > Note that the uidNumber is 3001108. Intermittently the Samba AD loses > the uidNumber somehow. Instead of this: > > >getent passwd mywife > > MYDOM\mywife:*:3001108::3000513:My Wife:/home/mywife:/bin/bash > > I get this: > > >getent passwd mywife > > MYDOM\mywife:*:3000062::3000513:My Wife:/home/mywife:/bin/bash > > At this point all my wife's files are no longer owned by her. Note > that the "incorrect" uidNumber corresponds to the xidNumber in the > idmap.ldb database. > > I had turned on some logging and the winbindd.log shows these messages > (I snipped lots of repeating stuff) > > [2018/04/05 07:29:03.938389, 3] > ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send) > getpwuid 3001108 > [2018/04/05 07:29:03.945379, 3] > ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) > [ 1212]: request interface version (version = 29) > [2018/04/05 07:29:03.945435, 3] > ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) > [ 1212]: request location of privileged pipe > [2018/04/05 07:29:03.945532, 3] > ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam MYDOM\mywife > > <snipping stuff> > > <see lots of this next one> > > [2018/04/05 07:37:13.307216, 5] > ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv) > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > > <snipping stuff> > > 2018/04/05 07:41:11.697582, 3] > ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send) > getpwuid 3000062 > [2018/04/05 07:41:11.701723, 3] > ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send) > getgrgid 3000513 > [2018/04/05 07:41:11.705707, 3] > ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send) > getpwuid 3000062 > [2018/04/05 07:41:11.709763, 3] > ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send) > getgrgid 3000513 > [2018/04/05 07:41:11.873940, 3] > ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam mywife > [2018/04/05 07:41:11.883785, 3] > ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) > [ 5905]: request interface version (version = 29) > [2018/04/05 07:41:11.883841, 3] > ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) > [ 5905]: request location of privileged pipe > [2018/04/05 07:41:11.883930, 3] > ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) > getgroups MYDOM\mywife > > <snipping stuff> > > [2018/04/05 18:52:03.772521, 3] > ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam mywife > [2018/04/05 18:52:06.562820, 3] > ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) > [27682]: request interface version (version = 29) > [2018/04/05 18:52:06.562899, 3] > ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) > [27682]: request location of privileged pipe > [2018/04/05 18:52:06.562997, 3] > ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send) > getpwuid 3001108 > [2018/04/05 18:52:06.567294, 5] > ../source3/winbindd/winbindd_getpwuid.c:111(winbindd_getpwuid_recv) > Could not convert sid S-1-22-1-3001108: STATUS_SOME_UNMAPPED > > Here is the AD smb.conf > > # Global parameters > [global] > server string = Nurdog Active Directory Server > workgroup = MYDOM > realm = MYDOM.MYDC.COM > server role = active directory domain controller > server services = -dns > bind interfaces only = yes > interfaces = br0 lo > kerberos method = secrets and keytab > winbind use default domain = yes > winbind offline logon = false > winbind enum groups = yes > winbind enum users = yes > winbind nss info = rfc2307 > template homedir = /home/%U > template shell = /bin/bash > log file = /var/log/samba/%m.log > max log size = 10000 > log level = 3 auth:5 winbind:5 > > [netlogon] > path = /var/lib/samba/sysvol/myhome.nurdog.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [Profiles] > path = /home/Profiles/ > read only = No > > [home] > path = /home > read only = No > > Some more useful data. The problem seems correlated to when my wife > logs into her user account on a Windows 10 box. That happened around > 7:38AM this morning and at approximately 7:41AM her identity problems > began. If I go and chown on her files everything will reset to her uid > 3001108. As long as she is logged in when I do this everything will be > okay until she logs out and back in and then it will occur again. > > Can somebody point me in a direction to debug this issue? What on the > windows 10 client could possibly cause the AD to change my wife's > account from the uidNumber 3001108 in the AD database to the idmap > xidNumber 3000062? Why would there be a sid S-1-22-1-3001108 which > supiciously has the uidNumber 3001108? And should I worry about the > sid S-0-0 that cannot be mapped? > > I am wondering if the latest version of Samba 4.7.6 is now confused by > my use of the xidNumbers as uidNumbers. I never saw this problem with > 4.7.5 or lower versions. Although it is very strange that only my > wife's account has this problem when she logs in. My account is > fine... no issues at all. > > Finally should I just bite the bullet and delete my wife's account, > remove any remnants to it in the databases, and then recreate it? I > would use a more reasonable uidNumber range of say 10000 to 20000 and > then just chown all of our files. > > I need to fix this problem as my wife's email starts to bounce when > this occurs since dovecot cannot write to her files since they are > owned by 3001108 and the system thinks her uid is 3000062. She is not > very pleased at the moment. > > Thanks for any help/advice. >Some more information. RSAT on the windows 10 client shows all the proper UNIX attributes. The uidNumber is the correct 3001108. So I removed the idmap.ldb entry for my wife's sid and restarted the AD. The new idmap entry was created and I noticed that getent returned the xidNumber from the new entry. It appears that the AD is ignoring the UNIX attributes altogether for my wife's account. I honestly do not know what is special about her account as my account is setup in exactly the same manner. -- Paul (ganci at nurdog.com) Cell: (303)257-5208
> > Some more information. RSAT on the windows 10 client shows all the > proper UNIX attributes. The uidNumber is the correct 3001108. So I > removed the idmap.ldb entry for my wife's sid and restarted the AD. > The new idmap entry was created and I noticed that getent returned the > xidNumber from the new entry. It appears that the AD is ignoring the > UNIX attributes altogether for my wife's account. I honestly do not > know what is special about her account as my account is setup in > exactly the same manner. >This is absolutely messed up. I re-created my wife's account. I added the UNIX attributes changing the uidNumber=10001 and I changed my uidNumber=10000 and gave the group domain users gidNumber=10513. I then restarted the server and issued a net cache flush probably 10 times MYDOM\me:*:10000:10513::/home/me:/bin/bash MYDOM\mywife:*:10001:10513::/home/mywife:/bin/bash I then do: > cd /home > ls -altn drwx------+ 82 10000 10513 20480 Apr 5 23:36 me drwx------+ 43 3000112 3000513 4096 Apr 4 18:28 mywife >getent passwd MYHOME\prg-11868bg:*:10000:3000513:Paul R. Ganci:/home/prg-11868bg:/bin/bash MYHOME\sln-11868bg:*:3000112:3000513::/home/sln-11868bg:/bin/bash It seems after some small length of time the domain users group gidNumber reverts to its xidNumber as does my wife's uidNumber. I have no idea why this would occur and don't know where to begin to debug the problem. Any pointers would be appreciated. -- Paul (ganci at nurdog.com) Cell: (303)257-5208