Jochen Korge || PCSM GmbH
2022-Feb-25 07:41 UTC
[Samba] inconsistend ID mapping with rid backend and ctdb
Unfortunatly it did not fix it. After "net cache flush" and a restart everything seemed ok. Overnight the Group jumped back to 3008 and access was denied again. We didn't monitor it though, so we do not know when it happened exactly. It seems like it always starts on the RID-Range and then after some time "falls down" to the tdb range. getent passwd showed 1000513 yesterday as primary gid and today all users changed to 3008. This one group is only the most prominent, it happens to other groups and a few users as well. Mit freundlichen Gr??en / best regards, Jochen Korge Mobil +49 711 28695277 PCSM GmbH Crailsheimerstrasse 15, 70435, Stuttgart Tel. +49 711 230 44 96 Fax +49 711 230 44 97 Gesch?ftsf?hrer: Thomas Martin | Sitz der Gesellschaft: Stuttgart Amtsgericht Stuttgart HRB-Nr.: 733394 / USt.-Idnr.: DE815181359 -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba Gesendet: Donnerstag, 24. Februar 2022 21:40 An: sambalist <samba at lists.samba.org> Betreff: Re: [Samba] inconsistend ID mapping with rid backend and ctdb On Thu, 2022-02-24 at 20:18 +0000, Jochen Korge || PCSM GmbH wrote:> Thanks for the quick reply. > > I made the change regarding the netbios name yesterday. We got all IDs > in the RID range. Today several "moved back" to the tdb range. > Do I have to drop the tdb database? And if so, ctdb getdbmap shows > several possible databases.Try running 'net cache flush' on all cluster members, this should flush the authentication database on each member.> > We joined a Domain with 2008 Schema and unfortunately we do have some > Windows XP Clients we can not update or replace.Ah, so the 2019 DC is still using the 2008 schema, I wasn't aware this was allowed.> Enum was for debugging purpose.That is all they are fit for. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Jochen Korge || PCSM GmbH
2022-Feb-25 12:46 UTC
[Samba] inconsistend ID mapping with rid backend and ctdb
After further Investigation I found two ways to consistently trigger the GID-Change: "sudo smbstatus": jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513 1000513 jochen at srvnas02:~$ sudo smbstatus .... jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513 3008 "wbinfo -G 3008": jochen at srvnas02:~$ wbinfo -G 1000513 S-1-5-21-XXXX-XXXX-XXXX-513 jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513 1000513 jochen at srvnas02:~$ wbinfo -G 3008 <-- does change the GID S-1-5-21-XXXX-XXXX-XXXX-513 jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513 3008 jochen at srvnas02:~$ wbinfo -G 1000513 <-- does NOT change it back S-1-5-21-XXXX-XXXX-XXXX-513 jochen at srvnas02:~$ wbinfo -Y S-1-5-21-XXXX-XXXX-XXXX-513 3008 With "wbinfo -G or -U" I can trigger the change for each existing group/user. Smbstatus "only" changes the "domain user" gid. "net cache flush" resets it, but unfortunately it does not stick. What still triggers me is the "<none>" Domain in lookup-sids (happens to all users/groups) jochen at srvnas02:~$ wbinfo --lookup-sids S-1-5-21- XXXX-XXXX-XXXX -513 S-1-5-21- XXXX-XXXX-XXXX -513 -> <none>\Dom?nen-Benutzer 2 though jochen at srvnas02:~$ wbinfo -s S-1-5-21- XXXX-XXXX-XXXX -513 OURDOMAIN\Dom?nen-Benutzer 2 Works as expected. Mit freundlichen Gr??en / best regards, Jochen Korge Mobil +49 711 28695277 PCSM GmbH Crailsheimerstrasse 15, 70435, Stuttgart Tel. +49 711 230 44 96 Fax +49 711 230 44 97 Gesch?ftsf?hrer: Thomas Martin | Sitz der Gesellschaft: Stuttgart Amtsgericht Stuttgart HRB-Nr.: 733394 / USt.-Idnr.: DE815181359 -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Jochen Korge || PCSM GmbH via samba Gesendet: Freitag, 25. Februar 2022 08:42 An: Rowland Penny <rpenny at samba.org>; sambalist <samba at lists.samba.org> Betreff: Re: [Samba] inconsistend ID mapping with rid backend and ctdb Unfortunatly it did not fix it. After "net cache flush" and a restart everything seemed ok. Overnight the Group jumped back to 3008 and access was denied again. We didn't monitor it though, so we do not know when it happened exactly. It seems like it always starts on the RID-Range and then after some time "falls down" to the tdb range. getent passwd showed 1000513 yesterday as primary gid and today all users changed to 3008. This one group is only the most prominent, it happens to other groups and a few users as well. Mit freundlichen Gr??en / best regards, Jochen Korge Mobil +49 711 28695277 PCSM GmbH Crailsheimerstrasse 15, 70435, Stuttgart Tel. +49 711 230 44 96 Fax +49 711 230 44 97 Gesch?ftsf?hrer: Thomas Martin | Sitz der Gesellschaft: Stuttgart Amtsgericht Stuttgart HRB-Nr.: 733394 / USt.-Idnr.: DE815181359 -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba Gesendet: Donnerstag, 24. Februar 2022 21:40 An: sambalist <samba at lists.samba.org> Betreff: Re: [Samba] inconsistend ID mapping with rid backend and ctdb On Thu, 2022-02-24 at 20:18 +0000, Jochen Korge || PCSM GmbH wrote:> Thanks for the quick reply. > > I made the change regarding the netbios name yesterday. We got all IDs > in the RID range. Today several "moved back" to the tdb range. > Do I have to drop the tdb database? And if so, ctdb getdbmap shows > several possible databases.Try running 'net cache flush' on all cluster members, this should flush the authentication database on each member.> > We joined a Domain with 2008 Schema and unfortunately we do have some > Windows XP Clients we can not update or replace.Ah, so the 2019 DC is still using the 2008 schema, I wasn't aware this was allowed.> Enum was for debugging purpose.That is all they are fit for. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba