samba - May 2018 - samba 4 joining samba 3 pdc - group mismatch

On Thu, 3 May 2018 17:35:25 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> > > No, you should get the same UID on the Unix domain member at all
> > > times, it will just be a different on to the PDC.  
> > 
> > I get the same uid all time but not the one I expect.
> > I'd expect that idmap return "UNIX_UID + LOW_RANGE_ID"
as the new uid.
> > But as you said idmap uses RID instead. My mistaken thought.
> > 
> > This leads me to another questions:
> > and how RID is guessed at S3??   
> 
> It isn't guessed, it is allocated and what you have to understand is
> that a users (or groups) RID is different from a Unix ID.
> On an old style PDC, you also have to have a Unix user, and
> as /etc/passwd is checked first, the ID found there is used as the Unix
> ID.

> 
>  
> > > > I got a small progress here. Now jgarcia uid is inside the
> > > > "range". Thanks.
> > > > 
> > > > 	S4# id jgarcia
> > > > 	uid=103032(jgarcia) gid=100513(none) \
> > > > 	groups=100513(none),103032(jgarcia),101094(5p6l3d1$),\
> > > > 	101119(jgomes-pc$),10001(BUILTIN\users)
> > > > 
> > > > but "base" id does not match. jgarcia uid is 1094
at S3.
> > > 
> > > I am willing to bet the RID for 'jgarcia' is
'3032'
> > 
> > How do I check this at S3 command line ?  
> 
> Run 'pdbedit -Lv' on S3
> This should list all your users, you are looking for lines like
> this:
> 
> S-1-5-21-1768301897-3342589593-1064908849-3601
> 
> The last number '3601' is the RID, the rest is the SID that
identifies
> the domain.
I run the pdbedit command.
I got a lage amount of users (and groups). 
The admin of the S3 server deleted (userdel) 75 users and these are still listed
by pdbedit.
How do I get rid os them??
> 
> > >   
> > > > the group names which jgarcia belongs make no sense either 
> > > > (5p6l3d1$ ?!?! this one should be named jgarcia).    
> > > 
> > > This I don't understand.  
> > 
> > The "id jgarcia" returns, among other groups,
101094(5p6l3d1$).
> > 1094 is the UNIX primary group for user jgarcia. 
> > This group is named, at S3, "jgarcia", like the username.  
> 
> I wonder if this is similar to AD, where you cannot have a user and
> group with the same name, perhaps Samba renames the group ?
Hmmm. Good observation.

> 
> > 
> > I'm inclined to think that this 1010194 is just a big coincidence
and
> > that number refer to another RID group not related to the jgarcia
> > unix group 1094. And why this name "5p6l3d1$" is so messed
up?? Where
> > this came from?  
> 
> This also is possible, you could try running 'net groupmap list' on
S3
This command listed nothing but two maps I created in previous tests.

ntjgarcia (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1094) -> jgarcia
ntsomegrp (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1119) -> somegrp

and I these does not show at S4 anywhere!

Although I believe that these mappings may not be adequate.
When I created these I had in mind that RID was directly copied from Unix UID.

As you observed above, this S-1-5-21-...-1094 may by the jgarcia group
renamed to 5p6l3d1$ and the mapping does not smells good.
> 
> > 
> > 
> > Other thing I do not get is why wbinfo does not returns all groups
> > jgarcia is in. I mentioned this on first email of this tread.  
> 
> Winbind doesn't show all a users groups until the user logs in.
> 
> > 
> > Why "id other_user" returns "no such user" for a
bunch of users,
> > been "other_user" obtained from "wbinfo -u"  
> 
> this is probably because 'wbinfo -u' shows windows users and these
may
> not be Unix users, they may be members of the '*' domain.
I think you may be mistaken (or I did not fully understood your affirmation).
These "no such user" users were deleted from Linux with "userdel
-r"  and are
ghosts in Samba.
I just tried to remove them (smbpasswd -x) them but got "Failed to delete
entry
for user XXXX"
How do I get rid of these ghosts?
> 
> > > > This would not be a problem *if* rsync could
"translate" uids
> > > > during the copy. Remember I am migrating data from S3 to S4.
> > > > It is much easier to correlate uid (or gid) 1094 with 101094
than
> > > > to 103032.    
> > > 
> > > I thought rsync synced by name  
> > 
> > Nope. It syncs uid/gid number based.  
> 
> what is your rsync command ?
for i in D1 D2 D3 D4 ; do 
        echo
        echo "SYNC'ing $i";
        echo
        /usr/bin/rsync -av S3:/var/samba/$i /home; 
done

> I ask this because if I rsync a file from my pc (rowland, 10000, ad
> backend) to a another pc (rowland, 11107, rid backend), ls -la shows
> the owner as 'rowland'
Maybe you mounted the remote server locally. Didn't you?
> 
> > > It might be easier in the long run to set up a new AD domain and
> > > move everything to that.  
> > 
> > This leads me to re-join every station. Not good!  
>  
> Yes, but you can correct all the historic errors and start afresh.
Good point.

Ethy

On Thu, 3 May 2018 14:59:18 -0300
"Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
> I run the pdbedit command.
> I got a lage amount of users (and groups). 
> The admin of the S3 server deleted (userdel) 75 users and these are
> still listed by pdbedit. How do I get rid os them??
> 
> I think you may be mistaken (or I did not fully understood your
> affirmation). These "no such user" users were deleted from Linux
with
> "userdel -r"  and are ghosts in Samba.
> I just tried to remove them (smbpasswd -x) them but got "Failed to
> delete entry for user XXXX"
> How do I get rid of these ghosts?
The OS stores users in /etc/passwd and userdel removes these, but there
are also Samba users and you need to run 'smbpasswd -x username' to
remove these.
> > what is your rsync command ?
> 
> for i in D1 D2 D3 D4 ; do 
>         echo
>         echo "SYNC'ing $i";
>         echo
>         /usr/bin/rsync -av S3:/var/samba/$i /home; 
> done
> 
> 
> > I ask this because if I rsync a file from my pc (rowland, 10000, ad
> > backend) to a another pc (rowland, 11107, rid backend), ls -la shows
> > the owner as 'rowland'
> 
> Maybe you mounted the remote server locally. Didn't you?
My rsync command was much the same as yours (just added 'z') and I
didn't mount anything, which leads to the next question, are you
mounting anything ?

Rowland

On Thu, 3 May 2018 19:18:45 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Thu, 3 May 2018 14:59:18 -0300
> "Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
> 
> > I run the pdbedit command.
> > I got a lage amount of users (and groups). 
> > The admin of the S3 server deleted (userdel) 75 users and these are
> > still listed by pdbedit. How do I get rid os them??
> > 
> > I think you may be mistaken (or I did not fully understood your
> > affirmation). These "no such user" users were deleted from
Linux with
> > "userdel -r"  and are ghosts in Samba.
> > I just tried to remove them (smbpasswd -x) them but got "Failed
to
> > delete entry for user XXXX"
> > How do I get rid of these ghosts?  
> 
> The OS stores users in /etc/passwd and userdel removes these, but there
> are also Samba users and you need to run 'smbpasswd -x username' to
> remove these.
You may missed my comment above. I did try 'smbpasswd -x
<USERNAME>'.
I get "Failed to delete entry for user <USERNAME>".
> 
> > > what is your rsync command ?  
> > 
> > for i in D1 D2 D3 D4 ; do 
> >         echo
> >         echo "SYNC'ing $i";
> >         echo
> >         /usr/bin/rsync -av S3:/var/samba/$i /home; 
> > done
> > 
> >   
> > > I ask this because if I rsync a file from my pc (rowland, 10000,
ad
> > > backend) to a another pc (rowland, 11107, rid backend), ls -la
shows
> > > the owner as 'rowland'  
> > 
> > Maybe you mounted the remote server locally. Didn't you?  
> 
> My rsync command was much the same as yours (just added 'z') and I
> didn't mount anything, which leads to the next question, are you
> mounting anything ?
Not at all.

But I have to apologize thousand times to you.
I did not check the files rsync copied *after* the modifications you said.

While we where talking, rsync copied the files at least twice and corrected the
whole thing. The files and directories permissions and ownership are ok.
I can now list them with correct names.

Sorry for the noise.

So! What is not working?

jgarcia user is a member of UNIX group G1 at S3. 

S3# grep "G1.*jgarcia" /etc/group
G1:x:1119:jgarcia

I have this share at S4:

[snapshots]
   comment = snapshots
   path = /var/snapshots
   browseable = no
   read only = yes
   valid users = @G1

jgarcia is given NT_STATUS_ACCESS_DENIED.
If I change "valid users" to "@G1 jgarcia" *or* create a
(local to S4) G1 group
the logs in.

How to debug this error?

Ethy