samba - Apr 2020 - autorid broken in samba 4.9?

Show the servers there smb.conf that might help. 

And your using autorid.. 
https://wiki.samba.org/index.php/Idmap_config_autorid 

Drawbacks: User and group IDs are not equal across Samba domain members.

TC84\administrator:*:1100500:1100513::/home/administrator at TC84
TC83\administrator:*:1200500:1200513::/home/administrator at TC83

1200500-1100500 = 100000

idmap config * : rangesize = 100000
 The default value is 100000 ! 

So this looks normal.. But i never used autorid so, im sure if im wrong
Someone will correct me ;-) 



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Nathaniel W. Turner via samba
> Verzonden: woensdag 8 april 2020 20:57
> Aan: sambalist
> Onderwerp: Re: [Samba] autorid broken in samba 4.9?
> 
> Sorry, this probably belongs on samba, not -technical, at 
> least for now.
> 
> On Wed, Apr 8, 2020 at 1:55 PM Nathaniel W. Turner 
> <nate at houseofnate.net>
> wrote:
> 
> > I have a configuration that is working correctly with samba 
> 4.8 (in CentOS
> > 7.6). When I apply the same basic configuration to a system 
> running samba
> > 4.9 (CentOS 7.7), I see a very strange behavior: The ID 
> mapping for trusted
> > domains does not work right.
> >
> > Both systems are joined to the domain tc84.local (TC84), which has a
> > forest trust with TC83, and they have identical smb.conf 
> files. Here's the
> > idmap related bit:
> >
> > # testparm 2>/dev/null </dev/null | grep idmap
> >         idmap config * : range = 1000000-19999999
> >         idmap config * : backend = autorid
> >
> > Here's the samba 4.8 system:
> >
> > [root at kvm7246-vm005 ~]# wbinfo -i TC84\\administrator
> > 
> TC84\administrator:*:1100500:1100513::/home/administrator at TC84
> :/bin/bash
> > [root at kvm7246-vm005 ~]# wbinfo -i TC83\\administrator
> > 
> TC83\administrator:*:1200500:1200513::/home/administrator at TC83
> :/bin/bash
> >
> > And here's the same config on a samba 4.9 system:
> >
> > [root at kvm7246-vm008 ~]# wbinfo -i TC84\\administrator
> > 
> TC84\administrator:*:2000500:2000513::/home/administrator at TC84
> :/bin/bash
> > [root at kvm7246-vm008 ~]# wbinfo -i TC83\\administrator
> > TC83\administrator:*:10000:10000::/home/administrator at
TC83:/bin/bash
> >
> > The UID 10000 is not within the idmap configured range!
> >
> > I looked a the idmap_autorid(8) manpage, and very very 
> quickly scanned the
> > source diffs between these versions, but nothing jumps out 
> at me. Is this a
> > known issue, or is there some new idmap configuration 
> setting that's now
> > needed?
> >
> > n
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 09/04/2020 08:34, L.P.H. van Belle via samba wrote:
> Show the servers there smb.conf that might help.
>
> And your using autorid..
> https://wiki.samba.org/index.php/Idmap_config_autorid
>
> Drawbacks: User and group IDs are not equal across Samba domain members.
>
> TC84\administrator:*:1100500:1100513::/home/administrator at TC84
> TC83\administrator:*:1200500:1200513::/home/administrator at TC83
>
> 1200500-1100500 = 100000
>
> idmap config * : rangesize = 100000
>   The default value is 100000 !
>
> So this looks normal.. But i never used autorid so, im sure if im wrong
> Someone will correct me ;-)
Yes that is correct, they should be different across domains, but they 
shouldn't change if Samba is upgraded and this is what has happened for 
the OP.

I wasn't going to reply on this subject because I do not know enough 
about autorid and there doesn't seem to be? any changes to the code that 
could cause this. I did hope that one of? the other Samba team members 
would chime in.

Perhaps seeing the OP's smb.conf might help and a bit more info, is sssd 
running for instance ?

Rowland

Good morning Rowland,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 9 april 2020 9:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] autorid broken in samba 4.9?
> 
> On 09/04/2020 08:34, L.P.H. van Belle via samba wrote:
> > Show the servers there smb.conf that might help.
> >
> > And your using autorid..
> > https://wiki.samba.org/index.php/Idmap_config_autorid
> >
> > Drawbacks: User and group IDs are not equal across Samba 
> domain members.
> >
> > TC84\administrator:*:1100500:1100513::/home/administrator at TC84
> > TC83\administrator:*:1200500:1200513::/home/administrator at TC83
> >
> > 1200500-1100500 = 100000
> >
> > idmap config * : rangesize = 100000
> >   The default value is 100000 !
> >
> > So this looks normal.. But i never used autorid so, im sure 
> if im wrong
> > Someone will correct me ;-)
> 
> Yes that is correct, they should be different across domains, 
> but they 
> shouldn't change if Samba is upgraded and this is what has 
> happened for 
> the OP.
> 
> I wasn't going to reply on this subject because I do not know enough 
> about autorid and there doesn't seem to be? any changes to 
> the code that  could cause this. I did hope that one of? the other Samba 
> team members  would chime in.
Hahaha.. Yeah.well, one did :-). 
And I was thinking the same but i felt sorry nobody replied him,
so i gave it an attempt to help. I dont know much of the autorid part also,
but lets give it a try.
> 
> Perhaps seeing the OP's smb.conf might help and a bit more 
> info, is sssd running for instance ?
Yeah, we really need the full smb.conf to tell more. 


Greetz, 

Louis

Hi all,

Thanks for the replies.

On Thu, Apr 9, 2020 at 3:54 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Good morning Rowland,
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland penny via samba
> > Verzonden: donderdag 9 april 2020 9:46
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] autorid broken in samba 4.9?
> >
> > On 09/04/2020 08:34, L.P.H. van Belle via samba wrote:
> > > Show the servers there smb.conf that might help.
> > >
> > > And your using autorid..
> > > https://wiki.samba.org/index.php/Idmap_config_autorid
> > >
> > > Drawbacks: User and group IDs are not equal across Samba
> > domain members.
> > >
> > > TC84\administrator:*:1100500:1100513::/home/administrator at TC84
> > > TC83\administrator:*:1200500:1200513::/home/administrator at TC83
> > >
> > > 1200500-1100500 = 100000
> > >
> > > idmap config * : rangesize = 100000
> > >   The default value is 100000 !
> > >
> > > So this looks normal.. But i never used autorid so, im sure
> > if im wrong
> > > Someone will correct me ;-)
> >
> > Yes that is correct, they should be different across domains,
> > but they
> > shouldn't change if Samba is upgraded and this is what has
> > happened for
> > the OP.
>
Right, the mappings in the samba 4.8 case quoted look right to me too. What
I don'd understand is this:

TC84\administrator:*:2000500:2000513::/home/administrator at TC84:/bin/bash
TC83\administrator:*:10000:10000::/home/administrator at TC83:/bin/bash

I thought that because I have "idmap config * : range =
1000000-19999999",
that the lowest UID that idmap would allocate would be 1000000 (but here we
have 10,000 which is much less than 1,000,000).
> I wasn't going to reply on this subject because I do not know enough
> > about autorid and there doesn't seem to be  any changes to
> > the code that  could cause this. I did hope that one of  the other
Samba
> > team members  would chime in.
>
> Hahaha.. Yeah.well, one did :-).
> And I was thinking the same but i felt sorry nobody replied him,
> so i gave it an attempt to help. I dont know much of the autorid part also,
> but lets give it a try.
>
> >
> > Perhaps seeing the OP's smb.conf might help and a bit more
> > info, is sssd running for instance ?
>
> Yeah, we really need the full smb.conf to tell more.
>
Sure, here's the whole thing (it's identical on both machines):

# Global parameters
[global]
        client signing = required
        debug pid = Yes
        debug prefix timestamp = Yes
        disable netbios = Yes
        dns proxy = No
        guest account = nfsnobody
        hostname lookups = Yes
        kerberos method = system keytab
        load printers = No
        local master = No
        log file = /var/log/samba/log.%m
        logging = file
        map to guest = Bad User
        max log size = 1000
        max open files = 32768
        preferred master = No
        realm = TC84.LOCAL
        security = ADS
        server min protocol = SMB2
        server string = xxxxxxx
        template homedir = /home/%U@%D
        template shell = /bin/bash
        unix extensions = No
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        workgroup = TC84
        idmap config * : range = 1000000-19999999
        idmap config * : backend = autorid
        aio read size = 0
        aio write size = 0
        allocation roundup size = 0
        dfree cache time = 60
        level2 oplocks = No
        locking = No
        oplocks = No