Samba clients receiving wrong UID

Nick · November 22, 2018, 6:43pm

Hi all,

I have been using UCS for a while now without any issues. Recently, I’ve had to create a few new users and noticed than none of them can access their /home folder via samba. I checked connections via smbstatus and discovered the ‘username’ column for these new users did not display their username, but a UID value (eg: 3000005) that doesn’t seem to correspond to anything.

I have checked auth.log and the username shows to authenticate properly. log.smbd looks like its grabbing the SID properly as well:

[2018/11/22 12:32:17.076021,  3, pid=26716] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,NTLMSSP] user [CMTL]\[Test4] at [Thu, 22 Nov 2018 12:32:17.076007 EST] with [NTLMv2] status [NT_STATUS_OK] workstation [ICARUS] remote host [ipv6:fec0::1abf:6042:b667:e884:41946] became [CMTL]\[Test4] [S-1-5-21-735641464-3328311708-1377503138-1612]. local host [ipv6:fec0::20c:29ff:feaf:eb56:445] 
[2018/11/22 12:32:17.076210,  3, pid=26716] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-11-22T12:32:17.076130-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv6:fec0::20c:29ff:feaf:eb56:445", "remoteAddress": "ipv6:fec0::1abf:6042:b667:e884:41946", "serviceDescription": "SMB2", "authDescription": "NTLMSSP", "clientDomain": "CMTL", "clientAccount": "Test4", "workstation": "ICARUS", "becameAccount": "Test4", "becameDomain": "CMTL", "becameSid": "S-1-5-21-735641464-3328311708-1377503138-1612", "mappedAccount": "Test4", "mappedDomain": "CMTL", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}}

but then this happens:

[2018/11/22 12:32:17.270884,  3, pid=26716] ../source3/smbd/service.c:841(make_connection_snum)
  fec0__1abf_6042_b667_e884 (ipv6:fec0::1abf:6042:b667:e884:41946) connect to service IPC$ initially as user CMTL+Test4 (uid=3000008, gid=5074) (pid 26716)

uid should be 2100.

Any thoughts on why this could be happening? I’m currently running UCS 4.3-2 errata331. The ‘old’ users, which still work properly were made back under UCS 4.3-0 and previous, and we had a backup-to-master change since as well. Thank you for any help,

       -Nick

Moritz_Bunkus · November 23, 2018, 8:38am

Hey,

sounds like either changes to the OpenLDAP aren’t replicated to the Samba LDAP, or the Winbind daemon is acting up. Please post the output of the following commands (I assume the user name you tested with is test4; if not, replace with the appropriate user name in the commands below):

univention-s4connector-list-rejected
univention-ldapsearch -LLLo ldif-wrap=no uid=test4 | grep -Eiv 'pass|pw|krb'
univention-s4search cn=test4 | ldapsearch-wrapper | grep -Eiv 'pass|pw|krb'
wbinfo --name-to-sid=test4

Then restart the winbind daemon and re-try the last command:

systemctl restart winbind.service
wbinfo --name-to-sid=test4

Kind regards
mosu

Nick · November 26, 2018, 7:17pm

Hi mosu, thank you for the quick reply. Unfortunately I didn’t see the response notification until today, so I can’t post accurate output for those commands anymore.

As it turns out though, it actually ended up being an erroneous LDAP entry. Somewhere along the line, a second ‘Samba Domain’ type object was created, and the new users were getting the new, wrong domain as part of their SID. I deleted the LDAP object and now all newly created users can authenticate properly.