Web lists-archives.com

Re: [Samba] domain member idmap wbinfo WBC_ERR_DOMAIN_NOT_FOUND




On 12/07/17 17:11, Rowland Penny via samba wrote:
> On Wed, 12 Jul 2017 13:41:38 +1000
> Tom Robinson via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Actually, those mappings still confuse me as some of them don't
>> resolve on the DM and some do resolve but have different IDs. I'm
>> guessing I just don't understand the process - or has something gone
>> wrong (sods law?).
>>
>> I wrote a little python script to iterate over all the well known
>> sids and call wbinfo for each. On the DC they all map to an ID (as I
>> now understand from the idmap.ldb) but on the DM the mappings are
>> completely different and many of them don't map to anything. A couple
>> of examples are:
>>
>> DC:
>> Creator Owner,S-1-3-0,user,placeholder : placeholder in iheritable ACE
>> On the DC it resolves as group as well as a user. Is that something
>> to do with the 'type: ID_TYPE_BOTH' entry in idmap.ldb?
>>
>> # wbinfo -S S-1-3-0
>> 3000045
>> # wbinfo -Y S-1-3-0
>> 3000045
>>
>> Administrators,S-1-5-32-544,group,builtin
>> # wbinfo -S S-1-5-32-544
>> 3000072
>> # wbinfo -Y S-1-5-32-544
>> 3000072
>>
>>
>> DM:
>> Creator Owner,S-1-3-0 : Doesn't resolve as user on the DM. It does
>> resolve as a group but with a different ID to that on the DC:
>>
>> # wbinfo -S S-1-3-0
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid S-1-3-0 to uid
>> # wbinfo -Y S-1-3-0
>> 3000006
>>
>> Administrators,S-1-5-32-544,group,builtin
>> # wbinfo -S S-1-5-32-544
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid S-1-5-32-544 to uid
>> # wbinfo -Y S-1-5-32-544
>> 3000000
>>
>> Interestingly if I flush the DM cache (net cache flush) these
>> mappings come back consistently on (i.e. 'Creator Owner' is again
>> assigned with 3000006 and likewise Administrators=3000000).
>>
>> I can see the mapping entry in the cache listing and in the
>> various .tdb files using tdbdump but what determines the mapped
>> number assignment and why is it different on the DM vs DC? Does it
>> matter at all that they are different?

I'm still curious why these xidNumbers get mapped differently on the DM. Where does that happen and
do I have any control over it?

>> from samba-tool ntacl sysvolcheck? I've now entertained the idea of
>> changing the UIDs on the Samba3 NT Domain (involves a bit of work
>> changing POSIX ownerships but is possible to do without much
>> disruption - most of our permissions are grouped and GIDs start at
>> 1000+). I could then redo the classic upgrade having the UIDs start
>> at 1500+.
> If you are going to do this, can I suggest '10000' as a starting
> number, this is where ADUC (using the Unix Attributes tab) starts, I
> would also renumber the groups as well.

Good advice. Thanks. I'm assuming that the ADUC groups defaults start at 10000 also.

>
>> One reason for doing the classicupgrade was that it will bring over
>> all the accounts and passwords in one hit. If there's a simple way to
>> bring accounts and passwords into a new domain then I could do that.
>> See above comments regarding joining again as for us it's not really
>> an issue.
>>
> I personally would dump the users and groups to a csv list, remove any
> thing that shouldn't be there. Create a new AD, create the required
> groups from the csv, re-create the users from the csv using a
> temporary password and set the password to be changed at next login.
> You could then go around the computers, joining them to the domain.
>   
>

This looks attractive is so many ways. I'm concerned on a couple of levels, though.

* The OpenLDAP backend for Samba3 is also responsible for authentication across our infrastructure:
** NFS mounts for /home/<user> NFS exported from the Samba3 host (multiple hosts mount this)
** mail server authentication
** Shares on Samba3

If I do go to a new domain there's going to be a bit of juggling account authentication across
multiple services running on multiple hosts. So it's not just about joining the new domain and
resetting the password.

Then there's the TBs of data shared on the Samba3 domain. A new domain will have new UIDs/GIDs that
aren't going to match the older UIDs/GIDs (and the same for the IMAP mail folders on the mail server
for that matter!). Can the samba3 (3.6.23) domain be joined easily to the new samba4 domain as a DM?

I'm beginning to think that going through the UID/GID changes first (i.e. on the Samba3 domain) may
still be worthwhile.

Ultimately I will migrate all the shared data to the new Samba4 DM and all authentication would go
via the Samba4 DC.

Maybe I should start a new thread!

Kind regards,
Tom



Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba