Web lists-archives.com

[Samba] User idmap lost




Back on February 28, 2018, I started a thread "User permissions of profile/home directory lost" describing a problem occurring with my wife's user account. Since that time the random problem has persisted so I turned on some debugging. I have been able to determine that somehow her account idmap is broken. Here is the entry for my wife's SID as found in the idmap.ldb file (all subsequent data has been sanitized):

root@nikita> wbinfo -n mywife
S-1-5-21-729452656-3029571206-2736118167-1143 SID_USER (1)

# record 27
dn: CN=S-1-5-21-729452656-3029571206-2736118167-1143
cn: S-1-5-21-729452656-3029571206-2736118167-1143
objectClass: sidMap
objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
type: ID_TYPE_BOTH
xidNumber: 3000062
distinguishedName: CN=S-1-5-21-729452656-3029571206-2736118167-1143

Please note that the xidNumber is 3000062.

Here is the entry for my wife's user account in the sam.ldb file:

# record 277
dn: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com
sn: Wife
c: US
l: Somewhere
st: A State
postalCode:
givenName: Sharon
instanceType: 4
whenCreated: 20141220195750.0Z
uSNCreated: 5115
co: United States
company: MyHome!
objectGUID: 2770b5ca-f2e7-43bc-9a47-833ce384c564
badPwdCount: 0
codePage: 0
countryCode: 840
homeDirectory: \\mydom\home\mywife
homeDrive: H:
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-729452656-3029571206-2736118167-1143
accountExpires: 9223372036854775807
sAMAccountName: mywife
sAMAccountType: 805306368
userPrincipalName: mywife@xxxxxxxxxxxxxx
userAccountControl: 66048
memberOf: CN=Roaming Profiles and Folder Redirection Users,OU=MyDomOU,DC=mydo
 m,DC=mydc,DC=com
cn: My Wife
name: My Wife
streetAddress: 999 Street
initials:
displayName: My Wife
gidNumber: 3000513
lockoutTime: 0
loginShell: /bin/bash
mail: mywife@xxxxxxxx
mobile:
msDS-SupportedEncryptionTypes: 0
telephoneNumber:
title: The Bigger Boss
uidNumber: 3001108
unixHomeDirectory: /home/mywife
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydom,DC=mydc,DC=co
 m
profilePath: \\mydom\home\Profiles\sln-11868bg
pwdLastSet: 131111097150000000
msSFU30NisDomain: mydom
msSFU30Name: mywife
unixUserPassword: ABCD!efgh12345$67890
uid: mywife
lastLogonTimestamp: 131672869851028400
whenChanged: 20180404034305.0Z
uSNChanged: 7165
lastLogon: 131674502053144830
logonCount: 134145
distinguishedName: CN=My Wife,CN=Users,DC=mydom,DC=mydc,DC=com

Note that the uidNumber is 3001108. Intermittently the Samba AD loses the uidNumber somehow. Instead of this:

>getent passwd mywife

MYDOM\mywife:*:3001108::3000513:My Wife:/home/mywife:/bin/bash

I get this:

>getent passwd mywife

MYDOM\mywife:*:3000062::3000513:My Wife:/home/mywife:/bin/bash

At this point all my wife's files are no longer owned by her. Note that the "incorrect" uidNumber corresponds to the xidNumber in the idmap.ldb database.

I had turned on some logging and the winbindd.log shows these messages (I snipped lots of repeating stuff)

[2018/04/05 07:29:03.938389,  3] ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
  getpwuid 3001108
[2018/04/05 07:29:03.945379,  3] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
  [ 1212]: request interface version (version = 29)
[2018/04/05 07:29:03.945435,  3] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
  [ 1212]: request location of privileged pipe
[2018/04/05 07:29:03.945532,  3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam MYDOM\mywife

<snipping stuff>

<see lots of this next one>

[2018/04/05 07:37:13.307216,  5] ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

<snipping stuff>

2018/04/05 07:41:11.697582,  3] ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
  getpwuid 3000062
[2018/04/05 07:41:11.701723,  3] ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send)
  getgrgid 3000513
[2018/04/05 07:41:11.705707,  3] ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
  getpwuid 3000062
[2018/04/05 07:41:11.709763,  3] ../source3/winbindd/winbindd_getgrgid.c:52(winbindd_getgrgid_send)
  getgrgid 3000513
[2018/04/05 07:41:11.873940,  3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam mywife
[2018/04/05 07:41:11.883785,  3] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
  [ 5905]: request interface version (version = 29)
[2018/04/05 07:41:11.883841,  3] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
  [ 5905]: request location of privileged pipe
[2018/04/05 07:41:11.883930,  3] ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
  getgroups MYDOM\mywife

<snipping stuff>

[2018/04/05 18:52:03.772521,  3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam mywife
[2018/04/05 18:52:06.562820,  3] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
  [27682]: request interface version (version = 29)
[2018/04/05 18:52:06.562899,  3] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
  [27682]: request location of privileged pipe
[2018/04/05 18:52:06.562997,  3] ../source3/winbindd/winbindd_getpwuid.c:49(winbindd_getpwuid_send)
  getpwuid 3001108
[2018/04/05 18:52:06.567294,  5] ../source3/winbindd/winbindd_getpwuid.c:111(winbindd_getpwuid_recv)
  Could not convert sid S-1-22-1-3001108: STATUS_SOME_UNMAPPED

Here is the AD smb.conf

# Global parameters
[global]
        server string = Nurdog Active Directory Server
        workgroup = MYDOM
        realm = MYDOM.MYDC.COM
        server role = active directory domain controller
        server services = -dns
        bind interfaces only = yes
        interfaces = br0 lo
        kerberos method = secrets and keytab
        winbind use default domain = yes
        winbind offline logon = false
        winbind enum groups = yes
        winbind enum users = yes
        winbind nss info = rfc2307
        template homedir = /home/%U
        template shell = /bin/bash
        log file = /var/log/samba/%m.log
        max log size = 10000
        log level = 3 auth:5 winbind:5

[netlogon]
        path = /var/lib/samba/sysvol/myhome.nurdog.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Profiles]
        path = /home/Profiles/
        read only = No

[home]
        path = /home
        read only = No

Some more useful data. The problem seems correlated to when my wife logs into her user account on a Windows 10 box. That happened around 7:38AM this morning and at approximately 7:41AM her identity problems began. If I go and chown on her files everything will reset to her uid 3001108. As long as she is logged in when I do this everything will be okay until she logs out and back in and then it will occur again.

Can somebody point me in a direction to debug this issue? What on the windows 10 client could possibly cause the AD to change my wife's account  from the uidNumber 3001108 in the AD database to the idmap xidNumber 3000062? Why would there be a sid S-1-22-1-3001108 which supiciously has the uidNumber 3001108? And should I worry about the sid S-0-0 that cannot be mapped?

I am wondering if the latest version of Samba 4.7.6 is now confused by my use of the xidNumbers as uidNumbers. I never saw this problem with 4.7.5 or lower versions. Although it is very strange that only my wife's account has this problem when she logs in. My account is fine... no issues at all.

Finally should I just bite the bullet and delete my wife's account, remove any remnants to it in the databases, and then recreate it? I would use a more reasonable uidNumber range of say 10000 to 20000 and then just chown all of our files.

I need to fix this problem as my wife's email starts to bounce when this occurs since dovecot cannot write to her files since they are owned by 3001108 and the system thinks her uid is 3000062. She is not very pleased at the moment.

Thanks for any help/advice.

--
Paul (ganci@xxxxxxxxxx)
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba