Problem: samba shares on memberservers not accessible

Problem:

Samba shares on memberservers not accessible.
UCS Samba/AD DCs use the file idmap.ldb for the assignment of objectSid to xidNumber (Posix UID/GID).
UCS Samba member servers primarily consult their domain controller for the assignment of objectSid to xidNumber and only if it does not know the answer, winbind creates an object in OpenLDAP under cn=idmap. The objects under cn=idmap are analogous to the ones in /var/lib/samba/private/idmap.ldb.
The UCS member server with Samba3 attempts to convert the SID of the user or group into a Posix ID when a request is made in order to determine the authorisation at file level.

In /var/log/samba/log.smbd you find

[2022/03/28 16:45:19.374484,  0] ../../source3/auth/auth_util.c:1889(check_account)
  check_account: Failed to convert SID S-1-5-21-2615459141-2503667724-3635462610-1061706 to a UID (dom_user[SCHOOL+cscheini])
[2022/03/28 16:45:19.374514,  3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/03/28 16:45:19.374756,  3] ../../source3/smbd/server_exit.c:236(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

Investigation:

Check access with smbclient:

root@mb-01:~# smbclient //$(hostname -f)/print$ -U cscheini
Enter SCHOOL\cscheini's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Check wbinfo:

root@mb-01:~# wbinfo -n cscheini
S-1-5-21-2615459141-2503667724-3635462610-1061706 SID_USER (1)
root@mb-01:~# wbinfo -S S-1-5-21-2615459141-2503667724-36354626104-1061706
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2615459141-2503667724-3635462610-1061706 to uid

Solution:

The problem here is, that the uid Number got out of the idmap range.
In /etc/samba/smb.conf you see the definition:

; idmap/winbind
ldap idmap suffix = cn=idmap,cn=univention
idmap config * : backend        = ldap
idmap config * : range          = 55000-64000
idmap config * : ldap_url       = ldap://dc01.schein.me:7389
idmap config * : ldap_user_dn   = cn=mb-01,cn=computers,ou=sun,dc=schein,dc=me
idmap config SCHOOL : backend = nss
idmap config SCHOOL : range = 1000-54999

Please note that the part SCHOOL might differ depending on your environment. Please adjust the following commands appropriately.

The settings can simply be changed via ucr variable:

ucr set samba/idmap/range=550000-640000
ucr set samba/idmap/SCHOOL/range=1000-549999
/etc/init.d/samba restart
net cache flush
/etc/init.d/winbind restart

With adjusting the range the old default range, is now part of the domain range. So we have to check, if there are objects from the default range now in the domain range and not findable anymore. You do this on the primary Server

univention-ldapsearch -b cn=idmap,cn=univention,$(ucr get ldap/base) '(|(uidNumber<=550000)(gidNumber<=550000))' 1.1

So you will find
cn=nextUnixId,cn=idmap,cn=univention,$(ucr get ldap/base)
here we have to adjust
uidNumber: 55000
gidNumber: 55000

ldapmodify -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret <<%EOF
dn: cn=nextUnixId,cn=idmap,cn=univention,dc=schein,dc=me
changetype: modify
replace: gidNumber
gidNumber: 550000
-
replace: uidNumber
uidNumber: 550000
%EOF

And maybe there are other objects, starting with sambaSID=S-1-X-X below cn=idmap,cn=univention,$(ucr get ldap/base)
These have to be adjusted, too. For these entities, the uidNumbers and gidNumbers should be kept unique, a best practice would be increment the values.

2 Likes
Mastodon