norbert.hanke
Dabbler
- Joined
- Aug 6, 2019
- Messages
- 11
This is on a TrueNAS CORE system on the latest version TrueNAS-13.0-U3.1 . It has a 3 year history of updates.
The problem is not specific to version 13.0-U3.1 : it has been there before.
The system has been joined to a Samba AD domain ever since, and rfc2307 name mapping works.
But there seems to be an issue with TDB UID and GID allocation for users and groups that have no UID and GID set in AD.
/var/log/samba4/log.winbindd-idmap has entries like
I increased the upper limit for the TDB UID range to 8200, with the result that just error message changes:
In log.smbd I see entries for computer accounts, and for users that have no UID set in AD like
If I set a UID attribute in AD for such accounts the error goes away. Having UIDs on computer accounts is not typical, but at least it helps.
In the fileystem I can see numeric GIDs that are no more known to winbind, like
winbind knows a few builtin users but far from all that I would expect:
Is there a way to reset ID allocation to start from scratch? Or manually edit the ID database to fix it?
I tried this but it does not work:
maybe this is useful information?
This is my samba configuration:
This looks ok:
The problem is not specific to version 13.0-U3.1 : it has been there before.
The system has been joined to a Samba AD domain ever since, and rfc2307 name mapping works.
But there seems to be an issue with TDB UID and GID allocation for users and groups that have no UID and GID set in AD.
/var/log/samba4/log.winbindd-idmap has entries like
[2023/01/05 23:22:41.675762, 1] ../../source3/winbindd/idmap_tdb_common.c:66(idmap_tdb_common_allocate_id_action)
Fatal Error: GID range full!! (max: 7999)
[2023/01/05 23:22:41.675819, 1] ../../source3/winbindd/idmap_tdb_common.c:149(idmap_tdb_common_allocate_id)
Error allocating a new GIDI increased the upper limit for the TDB UID range to 8200, with the result that just error message changes:
[2023/01/05 23:24:48.359581, 1] ../../source3/winbindd/idmap_tdb_common.c:66(idmap_tdb_common_allocate_id_action)
Fatal Error: GID range full!! (max: 8200)
[2023/01/05 23:24:48.359796, 1] ../../source3/winbindd/idmap_tdb_common.c:149(idmap_tdb_common_allocate_id)
Error allocating a new GIDIn log.smbd I see entries for computer accounts, and for users that have no UID set in AD like
[2023/01/03 20:24:05.571166, 0] ../../source3/auth/auth_util.c:1928(check_account)
check_account: Failed to convert SID S-1-5-21-744319914-1299377278-1878550687-9604 to a UID (dom_user[MYDOMAIN\e7470-1$])
[2023/01/05 09:50:53.465695, 0] ../../source3/auth/auth_util.c:1928(check_account)
check_account: Failed to convert SID S-1-5-21-744319914-1299377278-1878550687-500 to a UID (dom_user[MYDOMAIN\administrator])If I set a UID attribute in AD for such accounts the error goes away. Having UIDs on computer accounts is not typical, but at least it helps.
In the fileystem I can see numeric GIDs that are no more known to winbind, like
# getfacl /mnt/data/userdata
# file: /mnt/data/userdata
# owner: root
# group: MYDOMAIN\fileadmins
group@:rwxpDdaARWcCo-:fd-----:allow
group:MYDOMAIN\domain users:r-x---a-R-c---:-------:allow
group:3008:rwxpDdaARWcCo-:fdi----:allow
group:3007:rwxpDdaARWcCo-:fd-----:allow
group:MYDOMAIN\folder redirection users:r--p--a-R-c---:-------:allow
everyone@:r-x---a-R-c---:-------:allowwinbind knows a few builtin users but far from all that I would expect:
# gid=3000 ; while [ $gid -le 3010 ] ; do getent group $gid ; gid=$(($gid+1)) ; done
BUILTIN\administrators:x:3000
BUILTIN\users:x:3001
BUILTIN\guests:x:3002Is there a way to reset ID allocation to start from scratch? Or manually edit the ID database to fix it?
I tried this but it does not work:
# ldbedit -H /var/db/system/samba4/winbindd_idmap.tdb
Can't find include file registry
Can't load /usr/local/etc/smb4.conf - run testparm to debug it
no matching records - cannot editmaybe this is useful information?
Code:
# tdbtool /var/db/system/samba4/winbindd_idmap.tdb dump key 13 bytes DN=@BASEINFO data 43 bytes [000] 67 19 01 26 01 00 00 00 40 42 41 53 45 49 4E 46 g..&... @BASEINF [010] 4F 00 73 65 71 75 65 6E 63 65 4E 75 6D 62 65 72 O.sequen ceNumber [020] 00 01 00 00 00 01 00 00 00 31 00 ....... .1 key 9 bytes USER HWM data 4 bytes [000] 81 4A 5D 05 .J]. key 10 bytes GROUP HWM data 4 bytes [000] 81 4A 5D 05 .J]. key 14 bytes IDMAP_VERSION data 4 bytes [000] 02 00 00 00 ...
This is my samba configuration:
Code:
# testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
ads dns update = No
aio max threads = 2
allow trusted domains = No
bind interfaces only = Yes
client ldap sasl wrapping = seal
disable spoolss = Yes
dns proxy = No
domain master = No
enable web service discovery = Yes
kerberos method = secrets and keytab
kernel change notify = No
load printers = No
local master = No
logging = syslog@2 file
map to guest = Bad User
max log size = 51200
nsupdate command = /usr/local/bin/samba-nsupdate -g
preferred master = No
realm = AD.MYDOMAIN.TLD
registry shares = Yes
security = ADS
server multi channel support = No
server role = member server
server string = FreeNAS Server
template shell = /bin/sh
unix extensions = No
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind max domain connections = 10
winbind nss info = rfc2307
workgroup = MYDOMAIN
idmap config *: range = 3000-8200
idmap config mydomain: unix_primary_group = Yes
idmap config mydomain: unix_nss_info = Yes
idmap config mydomain: schema_mode = rfc2307
idmap config mydomain: range = 10000-999999
idmap config mydomain: backend = ad
rpc_server:mdssvc = disabled
rpc_daemon:mdssd = disabled
idmap config * : backend = tdb
directory name cache size = 0
dos filemode = YesThis looks ok:
# midclt call activedirectory.domain_info | jq
{
"LDAP server": "10.88.1.9",
"LDAP server name": "dc2.ad.mydomain.tld",
"Realm": "AD.MYDOMAIN.TLD",
"Bind Path": "dc=AD,dc=MYDOMAIN,dc=TLD",
"LDAP port": 389,
"Server time": 1672961806,
"KDC server": "10.88.1.9",
"Server time offset": 0,
"Last machine account password change": 1592159970
}
