Bartłomiej Solarz-Niesłuchowski
2023-Apr-22 06:24 UTC
[Samba] strange troubles in idmapping
Dear List suddenly I have problem in my AD SAMBA server (rfc2307 in use, 20k+ users, 15+ years samba usage)... some users have wrong id_map. good: root at themes:/var/lib/samba/private# wbinfo -n XXXXXXd0 S-1-5-21-3156691614-3416019035-1284015310-128614 SID_USER (1) root at themes:/var/lib/samba/private# wbinfo -S S-1-5-21-3156691614-3416019035-1284015310-128614 32845 bad: root at themes:/var/lib/samba/private# wbinfo -n YYYYYYe S-1-5-21-3156691614-3416019035-1284015310-127088 SID_USER (1) root at themes:/var/lib/samba/private# wbinfo -S S-1-5-21-3156691614-3416019035-1284015310-127088 3001681 WHY this was happens? user YYYYYYe exist in idmap (user XXXXXXd0 not exist in idmap) root at themes:/var/lib/samba/private/sam.ldb.d# ldbsearch -H /var/lib/samba/private/idmap.ldb CN=S-1-5-21-3156691614-3416019035-1284015310-127088 # record 1 dn: CN=S-1-5-21-3156691614-3416019035-1284015310-127088 cn: S-1-5-21-3156691614-3416019035-1284015310-127088 objectClass: sidMap objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088 type: ID_TYPE_BOTH xidNumber: 3001681 distinguishedName: CN=S-1-5-21-3156691614-3416019035-1284015310-127088 # returned 1 records # 1 entries # 0 referrals but even//I delete those record from /var/lib/samba/private/idmap.ldb it will be recreated with new id -> so somewhat instead of using Best Regards PS-some infos: root at themes:/var/lib/samba/private/sam.ldb.d# samba -V Version 4.15.13-Ubuntu (van belle ad version) I use rfc2307 extension: [global] ??????? realm = AD.WSISIZ.EDU.PL ??????? server role = active directory domain controller ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ??????? workgroup = WSISIZ.EDU.PL ??????? idmap_ldb:use rfc2307 = yes ??????? dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool ??????? wins server =? 213.135.44.33 ??????? ntlm auth = mschapv2-and-ntlmv2-only ??????? min domain uid = 0 ??????? tls enabled? = yes ??????? tls keyfile? = tls/key.pem ??????? tls certfile = tls/cert.pem ??????? tls cafile?? user which works: root at themes:/var/lib/samba/private# samba-tool user show XXXXXXd0 dn: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: XXXXXXd0 instanceType: 4 whenCreated: 20230316125223.0Z uSNCreated: 158183212 name: XXXXXXd0 objectGUID: 9d01ecf4-f5b6-422e-90ed-febc81fca2f8 badPwdCount: 0 codePage: 0 countryCode: 0 homeDirectory: \\oceanic\XXXXXXd0 homeDrive: Z: badPasswordTime: 0 lastLogoff: 0 scriptPath: login.bat primaryGroupID: 513 profilePath: \\oceanic\XXXXXXd0\profile objectSid: S-1-5-21-3156691614-3416019035-1284015310-128614 accountExpires: 9223372036854775807 sAMAccountName: XXXXXXd0 sAMAccountType: 805306368 userPrincipalName: XXXXXXd0 at ad.wsisiz.edu.pl objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl mail: XXXXXXd0 at wit.edu.pl uidNumber: 32845 gecos: Temporary User loginShell: /bin/bash msSFU30NisDomain: wsisiz.edu.pl msSFU30Name: XXXXXXd0 unixUserPassword: ABCD!efgh12345$67890 userAccountControl: 512 gidNumber: 101 unixHomeDirectory: /home/staff/XXXXXXd0 displayName: Daniel XXXXXXak description: Daniel XXXXXXak memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl pwdLastSet: 133234629994492940 lastLogonTimestamp: 133261378445031020 whenChanged: 20230416165724.0Z uSNChanged: 161980087 lastLogon: 133264880809991990 logonCount: 174 distinguishedName: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl user which does not work: root at themes:/var/lib/samba/private# samba-tool user show YYYYYYe dn: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: YYYYYYe instanceType: 4 whenCreated: 20220601202617.0Z uSNCreated: 117943020 name: YYYYYYe objectGUID: 896ceb98-04cc-45de-b1c5-5f51e5711c83 badPwdCount: 0 codePage: 0 countryCode: 0 homeDirectory: \\oceanic\YYYYYYe homeDrive: Z: badPasswordTime: 0 lastLogoff: 0 scriptPath: login.bat primaryGroupID: 513 profilePath: \\oceanic\YYYYYYe\profile objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088 accountExpires: 9223372036854775807 sAMAccountName: YYYYYYe sAMAccountType: 805306368 userPrincipalName: YYYYYYe at ad.wsisiz.edu.pl objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl mail: YYYYYYe at wit.edu.pl uidNumber: 31667 gidNumber: 100 gecos: Temporary User loginShell: /bin/bash msSFU30NisDomain: wsisiz.edu.pl msSFU30Name: YYYYYYe unixUserPassword: ABCD!efgh12345$67890 userAccountControl: 512 unixHomeDirectory: /home/2022/gr/YYYYYYe displayName: Erwin YYYYYY description: Erwin YYYYYY memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl memberOf: CN=windows-admini,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl pwdLastSet: 133185514481333840 lastLogonTimestamp: 133260130599284170 whenChanged: 20230415061739.0Z uSNChanged: 161920835 lastLogon: 133260378126465240 logonCount: 195 distinguishedName: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail:Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 MSTEAMS:solarz at office.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
On 22/04/2023 07:24, Bart?omiej Solarz-Nies?uchowski via samba wrote:> Dear List > > suddenly I have problem in my AD SAMBA server (rfc2307 in use, 20k+ > users, 15+ years samba usage)... > > some users have wrong id_map. > > good: > > root at themes:/var/lib/samba/private# wbinfo -n XXXXXXd0 > S-1-5-21-3156691614-3416019035-1284015310-128614 SID_USER (1) > root at themes:/var/lib/samba/private# wbinfo -S > S-1-5-21-3156691614-3416019035-1284015310-128614 > 32845 > > bad: > > root at themes:/var/lib/samba/private# wbinfo -n YYYYYYe > S-1-5-21-3156691614-3416019035-1284015310-127088 SID_USER (1) > root at themes:/var/lib/samba/private# wbinfo -S > S-1-5-21-3156691614-3416019035-1284015310-127088 > 3001681 > > WHY this was happens?I have no idea, it shouldn't.> > > user YYYYYYe exist in idmap (user XXXXXXd0 not exist in idmap)It shouldn't matter if they are in idmap.ldb or not.> > root at themes:/var/lib/samba/private/sam.ldb.d# ldbsearch -H > /var/lib/samba/private/idmap.ldb > CN=S-1-5-21-3156691614-3416019035-1284015310-127088 > # record 1 > dn: CN=S-1-5-21-3156691614-3416019035-1284015310-127088 > cn: S-1-5-21-3156691614-3416019035-1284015310-127088 > objectClass: sidMap > objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088 > type: ID_TYPE_BOTH > xidNumber: 3001681 > distinguishedName: CN=S-1-5-21-3156691614-3416019035-1284015310-127088 > > # returned 1 records > # 1 entries > # 0 referrals > > but even//I delete those record from /var/lib/samba/private/idmap.ldb it > will be recreated with new id -> so somewhat instead of using > > > Best Regards > > PS-some infos: > > root at themes:/var/lib/samba/private/sam.ldb.d# samba -V > Version 4.15.13-Ubuntu > > (van belle ad version)You really need to upgrade Samba, Have a search on this list, Michael the Debian Samba maintainer is supplying Ubuntu Samba packages.> > > I use rfc2307 extension: > > [global] > ??????? realm = AD.WSISIZ.EDU.PL > ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdateNot that it can be relevant, but you appear to be using Bind9 for the dns server.> ??????? workgroup = WSISIZ.EDU.PLWhy does your workgroup have dots in it ? Also why is the opposite to every recommendation, which is to use the left hand part of the realm, which in your case would be 'AD' ?> ??????? idmap_ldb:use rfc2307 = yesThat line means: use any uidNumber and gidNumber attributes in AD and ignore the xidNumber attributes in idmap.ldb. This is where the problem sets in it, your DC doesn't seem to be doing this.> ??????? dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool > ??????? wins server =? 213.135.44.33Why do you have 'wins server' set, AD does not use wins, it uses dns.> ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? min domain uid = 0 > ??????? tls enabled? = yes > ??????? tls keyfile? = tls/key.pem > ??????? tls certfile = tls/cert.pem > ??????? tls cafile?? >I have the feeling that the smb.conf continues here with shares (over and above the netlogon & sysvol shares), you do know that this is not recommended.> user which works: > > root at themes:/var/lib/samba/private# samba-tool user show XXXXXXd0 > dn: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: XXXXXXd0 > instanceType: 4 > whenCreated: 20230316125223.0Z > uSNCreated: 158183212 > name: XXXXXXd0 > objectGUID: 9d01ecf4-f5b6-422e-90ed-febc81fca2f8 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > homeDirectory: \\oceanic\XXXXXXd0 > homeDrive: Z: > badPasswordTime: 0 > lastLogoff: 0 > scriptPath: login.bat > primaryGroupID: 513 > profilePath: \\oceanic\XXXXXXd0\profile > objectSid: S-1-5-21-3156691614-3416019035-1284015310-128614 > accountExpires: 9223372036854775807 > sAMAccountName: XXXXXXd0 > sAMAccountType: 805306368 > userPrincipalName: XXXXXXd0 at ad.wsisiz.edu.pl > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl > mail: XXXXXXd0 at wit.edu.pl > uidNumber: 32845 > gecos: Temporary User > loginShell: /bin/bash > msSFU30NisDomain: wsisiz.edu.pl > msSFU30Name: XXXXXXd0 > unixUserPassword: ABCD!efgh12345$67890 > userAccountControl: 512 > gidNumber: 101 > unixHomeDirectory: /home/staff/XXXXXXd0 > displayName: Daniel XXXXXXak > description: Daniel XXXXXXak > memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > pwdLastSet: 133234629994492940 > lastLogonTimestamp: 133261378445031020 > whenChanged: 20230416165724.0Z > uSNChanged: 161980087 > lastLogon: 133264880809991990 > logonCount: 174 > distinguishedName: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > > user which does not work: > > root at themes:/var/lib/samba/private# samba-tool user show YYYYYYe > dn: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: YYYYYYe > instanceType: 4 > whenCreated: 20220601202617.0Z > uSNCreated: 117943020 > name: YYYYYYe > objectGUID: 896ceb98-04cc-45de-b1c5-5f51e5711c83 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > homeDirectory: \\oceanic\YYYYYYe > homeDrive: Z: > badPasswordTime: 0 > lastLogoff: 0 > scriptPath: login.bat > primaryGroupID: 513 > profilePath: \\oceanic\YYYYYYe\profile > objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088 > accountExpires: 9223372036854775807 > sAMAccountName: YYYYYYe > sAMAccountType: 805306368 > userPrincipalName: YYYYYYe at ad.wsisiz.edu.pl > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl > mail: YYYYYYe at wit.edu.pl > uidNumber: 31667 > gidNumber: 100 > gecos: Temporary User > loginShell: /bin/bash > msSFU30NisDomain: wsisiz.edu.pl > msSFU30Name: YYYYYYe > unixUserPassword: ABCD!efgh12345$67890 > userAccountControl: 512 > unixHomeDirectory: /home/2022/gr/YYYYYYe > displayName: Erwin YYYYYY > description: Erwin YYYYYY > memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > memberOf: CN=windows-admini,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > pwdLastSet: 133185514481333840 > lastLogonTimestamp: 133260130599284170 > whenChanged: 20230415061739.0Z > uSNChanged: 161920835 > lastLogon: 133260378126465240 > logonCount: 195 > distinguishedName: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > >I can see no reason why your problem is occurring, not from the information provided. I suggest you set 'log level = 10' and see if anything pops up in the logs. Rowland