On 22/04/2023 07:24, Bart?omiej Solarz-Nies?uchowski via samba wrote:> Dear List > > suddenly I have problem in my AD SAMBA server (rfc2307 in use, 20k+ > users, 15+ years samba usage)... > > some users have wrong id_map. > > good: > > root at themes:/var/lib/samba/private# wbinfo -n XXXXXXd0 > S-1-5-21-3156691614-3416019035-1284015310-128614 SID_USER (1) > root at themes:/var/lib/samba/private# wbinfo -S > S-1-5-21-3156691614-3416019035-1284015310-128614 > 32845 > > bad: > > root at themes:/var/lib/samba/private# wbinfo -n YYYYYYe > S-1-5-21-3156691614-3416019035-1284015310-127088 SID_USER (1) > root at themes:/var/lib/samba/private# wbinfo -S > S-1-5-21-3156691614-3416019035-1284015310-127088 > 3001681 > > WHY this was happens?I have no idea, it shouldn't.> > > user YYYYYYe exist in idmap (user XXXXXXd0 not exist in idmap)It shouldn't matter if they are in idmap.ldb or not.> > root at themes:/var/lib/samba/private/sam.ldb.d# ldbsearch -H > /var/lib/samba/private/idmap.ldb > CN=S-1-5-21-3156691614-3416019035-1284015310-127088 > # record 1 > dn: CN=S-1-5-21-3156691614-3416019035-1284015310-127088 > cn: S-1-5-21-3156691614-3416019035-1284015310-127088 > objectClass: sidMap > objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088 > type: ID_TYPE_BOTH > xidNumber: 3001681 > distinguishedName: CN=S-1-5-21-3156691614-3416019035-1284015310-127088 > > # returned 1 records > # 1 entries > # 0 referrals > > but even//I delete those record from /var/lib/samba/private/idmap.ldb it > will be recreated with new id -> so somewhat instead of using > > > Best Regards > > PS-some infos: > > root at themes:/var/lib/samba/private/sam.ldb.d# samba -V > Version 4.15.13-Ubuntu > > (van belle ad version)You really need to upgrade Samba, Have a search on this list, Michael the Debian Samba maintainer is supplying Ubuntu Samba packages.> > > I use rfc2307 extension: > > [global] > ??????? realm = AD.WSISIZ.EDU.PL > ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdateNot that it can be relevant, but you appear to be using Bind9 for the dns server.> ??????? workgroup = WSISIZ.EDU.PLWhy does your workgroup have dots in it ? Also why is the opposite to every recommendation, which is to use the left hand part of the realm, which in your case would be 'AD' ?> ??????? idmap_ldb:use rfc2307 = yesThat line means: use any uidNumber and gidNumber attributes in AD and ignore the xidNumber attributes in idmap.ldb. This is where the problem sets in it, your DC doesn't seem to be doing this.> ??????? dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool > ??????? wins server =? 213.135.44.33Why do you have 'wins server' set, AD does not use wins, it uses dns.> ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? min domain uid = 0 > ??????? tls enabled? = yes > ??????? tls keyfile? = tls/key.pem > ??????? tls certfile = tls/cert.pem > ??????? tls cafile?? >I have the feeling that the smb.conf continues here with shares (over and above the netlogon & sysvol shares), you do know that this is not recommended.> user which works: > > root at themes:/var/lib/samba/private# samba-tool user show XXXXXXd0 > dn: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: XXXXXXd0 > instanceType: 4 > whenCreated: 20230316125223.0Z > uSNCreated: 158183212 > name: XXXXXXd0 > objectGUID: 9d01ecf4-f5b6-422e-90ed-febc81fca2f8 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > homeDirectory: \\oceanic\XXXXXXd0 > homeDrive: Z: > badPasswordTime: 0 > lastLogoff: 0 > scriptPath: login.bat > primaryGroupID: 513 > profilePath: \\oceanic\XXXXXXd0\profile > objectSid: S-1-5-21-3156691614-3416019035-1284015310-128614 > accountExpires: 9223372036854775807 > sAMAccountName: XXXXXXd0 > sAMAccountType: 805306368 > userPrincipalName: XXXXXXd0 at ad.wsisiz.edu.pl > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl > mail: XXXXXXd0 at wit.edu.pl > uidNumber: 32845 > gecos: Temporary User > loginShell: /bin/bash > msSFU30NisDomain: wsisiz.edu.pl > msSFU30Name: XXXXXXd0 > unixUserPassword: ABCD!efgh12345$67890 > userAccountControl: 512 > gidNumber: 101 > unixHomeDirectory: /home/staff/XXXXXXd0 > displayName: Daniel XXXXXXak > description: Daniel XXXXXXak > memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > pwdLastSet: 133234629994492940 > lastLogonTimestamp: 133261378445031020 > whenChanged: 20230416165724.0Z > uSNChanged: 161980087 > lastLogon: 133264880809991990 > logonCount: 174 > distinguishedName: CN=XXXXXXd0,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > > user which does not work: > > root at themes:/var/lib/samba/private# samba-tool user show YYYYYYe > dn: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: YYYYYYe > instanceType: 4 > whenCreated: 20220601202617.0Z > uSNCreated: 117943020 > name: YYYYYYe > objectGUID: 896ceb98-04cc-45de-b1c5-5f51e5711c83 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > homeDirectory: \\oceanic\YYYYYYe > homeDrive: Z: > badPasswordTime: 0 > lastLogoff: 0 > scriptPath: login.bat > primaryGroupID: 513 > profilePath: \\oceanic\YYYYYYe\profile > objectSid: S-1-5-21-3156691614-3416019035-1284015310-127088 > accountExpires: 9223372036854775807 > sAMAccountName: YYYYYYe > sAMAccountType: 805306368 > userPrincipalName: YYYYYYe at ad.wsisiz.edu.pl > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=wsisiz,DC=edu,DC=pl > mail: YYYYYYe at wit.edu.pl > uidNumber: 31667 > gidNumber: 100 > gecos: Temporary User > loginShell: /bin/bash > msSFU30NisDomain: wsisiz.edu.pl > msSFU30Name: YYYYYYe > unixUserPassword: ABCD!efgh12345$67890 > userAccountControl: 512 > unixHomeDirectory: /home/2022/gr/YYYYYYe > displayName: Erwin YYYYYY > description: Erwin YYYYYY > memberOf: CN=terminal,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > memberOf: CN=terminal-koncowki,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > memberOf: CN=windows-admini,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > pwdLastSet: 133185514481333840 > lastLogonTimestamp: 133260130599284170 > whenChanged: 20230415061739.0Z > uSNChanged: 161920835 > lastLogon: 133260378126465240 > logonCount: 195 > distinguishedName: CN=YYYYYYe,CN=Users,DC=ad,DC=wsisiz,DC=edu,DC=pl > >I can see no reason why your problem is occurring, not from the information provided. I suggest you set 'log level = 10' and see if anything pops up in the logs. Rowland
Bartłomiej Solarz-Niesłuchowski
2023-Apr-23 06:14 UTC
[Samba] strange troubles in idmapping
W dniu 22.04.2023 o?10:55, Rowland Penny via samba pisze:> root at themes:/var/lib/samba/private/sam.ldb.d# samba -V >> Version 4.15.13-Ubuntu >> >> (van belle ad version) > > You really need to upgrade Samba, Have a search on this list, Michael > the Debian Samba maintainer is supplying Ubuntu Samba packages.So I upgrade ubuntu to 22.04.2 but there is the same version of samba - where to find newest version prepackaged for ubuntu (i am googling without effect)? Best Regards -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 MSTEAMS: solarz at office.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz