GID range full!!

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

GID range full!!

Samba - General mailing list

Twice this week I had a Domain Member Server "crash"

A week ago I saw errors like this in log.winbindd-idmap:

[2017/11/27 11:25:02.768090,  1]
../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
  Error allocating a new GID
[2017/11/27 11:25:02.768213,  1]
../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action)
  Fatal Error: GID range full!! (max: 2999)

I increased this from 2999 to 9999:

        idmap config arbeitsgruppe:schema_mode = rfc2307
        idmap config arbeitsgruppe:range = 10000-9999999
        idmap config arbeitsgruppe:backend = ad
        idmap config * : range = 2000-9999
        idmap config * : backend = tdb

and restarted smbd/nmbd/winbindd

Today it crashed again, but without those lines:

[2017/11/27 11:25:02.768228,  1]
../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
  Error allocating a new GID
[2017/11/27 11:26:43.632040,  1]
../source3/winbindd/winbindd.c:396(winbindd_sig_hup_handler)
  Reloading services after SIGHUP
[2017/12/04 11:50:31.642817,  0]
../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)
[2017/12/04 11:51:50.973272,  0]
../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)

Samba-4.6.11 btw

Hmm.

What does samba need >3000 IDs for, when we have around 40 users and
maybe 15 groups in ADS there?

Can someone explain?

How to maybe clean that up, get rid of wrong ids or whatever is needed here?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
On Mon, 4 Dec 2017 12:13:39 +0100
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

>
> Twice this week I had a Domain Member Server "crash"
>
> A week ago I saw errors like this in log.winbindd-idmap:
>
> [2017/11/27 11:25:02.768090,  1]
> ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
>   Error allocating a new GID
> [2017/11/27 11:25:02.768213,  1]
> ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action)
>   Fatal Error: GID range full!! (max: 2999)
>
> I increased this from 2999 to 9999:
>
> idmap config arbeitsgruppe:schema_mode = rfc2307
> idmap config arbeitsgruppe:range = 10000-9999999
> idmap config arbeitsgruppe:backend = ad
> idmap config * : range = 2000-9999
> idmap config * : backend = tdb
>
> and restarted smbd/nmbd/winbindd
>
> Today it crashed again, but without those lines:
>
> [2017/11/27 11:25:02.768228,  1]
> ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
>   Error allocating a new GID
> [2017/11/27 11:26:43.632040,  1]
> ../source3/winbindd/winbindd.c:396(winbindd_sig_hup_handler)
>   Reloading services after SIGHUP
> [2017/12/04 11:50:31.642817,  0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>   Got sig[15] terminate (is_parent=0)
> [2017/12/04 11:51:50.973272,  0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>   Got sig[15] terminate (is_parent=0)
>
> Samba-4.6.11 btw
>
> Hmm.
>
> What does samba need >3000 IDs for, when we have around 40 users and
> maybe 15 groups in ADS there?
>
> Can someone explain?
>
> How to maybe clean that up, get rid of wrong ids or whatever is
> needed here?
>

II take it that 'arbeitsgruppe' is the workgroup name, it should be
'ARBEITSGRUPPE' in the 'idmap config' lines.
The '*' range is used to store the Well Known SIDs and anything outside
the 'arbeitsgruppe' domain, 7999 IDs is more than enough for this, in
fact 999 IDs should have been enough, there are less than 200 Well
Known SIDs.
Your 'arbeitsgruppe' domain members should fit into 9989999 IDs

I suspect that either your domain computers are not in fact domain
computers, or something is badly mis-configured.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
Am 2017-12-04 um 12:42 schrieb Rowland Penny:

> II take it that 'arbeitsgruppe' is the workgroup name, it should be
> 'ARBEITSGRUPPE' in the 'idmap config' lines.

The output of testparm shows them lowercase, smb.conf has it in uppercase:

[global]
        security = ADS
        workgroup = ARBEITSGRUPPE
        realm = arbeitsgruppe.hidden.tld
        log file = /var/log/samba/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        idmap config ARBEITSGRUPPE:backend = ad
        idmap config ARBEITSGRUPPE:range = 10000-9999999
        idmap config ARBEITSGRUPPE:schema_mode = rfc2307

        username map = /etc/samba/user.map

        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind nss info = rfc2307

        load printers = No
        printcap name = /dev/null

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

> The '*' range is used to store the Well Known SIDs and anything outside
> the 'arbeitsgruppe' domain, 7999 IDs is more than enough for this, in
> fact 999 IDs should have been enough, there are less than 200 Well
> Known SIDs.
> Your 'arbeitsgruppe' domain members should fit into 9989999 IDs
>
> I suspect that either your domain computers are not in fact domain
> computers, or something is badly mis-configured.

Well, I come back here to ask how to do things and configure DC and DM
for over a year now. We discussed the config in various threads and I
always follow your suggestions and the docs as good as I can and understand.

Same this time. *I* don't know what is wrong or might be wrong.

You suggest the domain computers might not be what they should be:
domain computers. You mean, the windows PCs might be not joined correctly?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
On Mon, 4 Dec 2017 12:56:37 +0100
"Stefan G. Weichinger" <[hidden email]> wrote:

> Am 2017-12-04 um 12:42 schrieb Rowland Penny:
>
> > II take it that 'arbeitsgruppe' is the workgroup name, it should be
> > 'ARBEITSGRUPPE' in the 'idmap config' lines.
>
> The output of testparm shows them lowercase, smb.conf has it in
> uppercase:
>
> [global]
>         security = ADS
>         workgroup = ARBEITSGRUPPE
>         realm = arbeitsgruppe.hidden.tld
>         log file = /var/log/samba/%m.log
>         log level = 1
>
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>
>         idmap config ARBEITSGRUPPE:backend = ad
>         idmap config ARBEITSGRUPPE:range = 10000-9999999
>         idmap config ARBEITSGRUPPE:schema_mode = rfc2307
>
>         username map = /etc/samba/user.map
>
>         winbind use default domain = Yes
>         winbind refresh tickets = Yes
>         winbind nss info = rfc2307
>
>         load printers = No
>         printcap name = /dev/null
>
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
> > The '*' range is used to store the Well Known SIDs and anything
> > outside the 'arbeitsgruppe' domain, 7999 IDs is more than enough
> > for this, in fact 999 IDs should have been enough, there are less
> > than 200 Well Known SIDs.
> > Your 'arbeitsgruppe' domain members should fit into 9989999 IDs
> >
> > I suspect that either your domain computers are not in fact domain
> > computers, or something is badly mis-configured.
>
> Well, I come back here to ask how to do things and configure DC and DM
> for over a year now. We discussed the config in various threads and I
> always follow your suggestions and the docs as good as I can and
> understand.
>
> Same this time. *I* don't know what is wrong or might be wrong.
>
> You suggest the domain computers might not be what they should be:
> domain computers. You mean, the windows PCs might be not joined
> correctly?

There doesn't seem to anything really wrong with the smb.conf, unless
you are running a version of Samba from 4.6.0, see here for how to set
up idmap now:

https://wiki.samba.org/index.php/Idmap_config_ad

You can also find a list of Well Known SIDs here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

It may be, for some reason, your windows clients are not joined, this
is unlikely, but worth checking.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:

> There doesn't seem to anything really wrong with the smb.conf, unless
> you are running a version of Samba from 4.6.0, see here for how to set
> up idmap now:
>
> https://wiki.samba.org/index.php/Idmap_config_ad

So that seems to hit it, we run 4.6.11 and still

winbind nss info = rfc2307

That has to be edited if I interpret correctly.

Is that a "dangerous" change? Should it be done with no users connected
or with all daemons restarted after the change?

thanks, Stefan


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
On Mon, 4 Dec 2017 13:41:32 +0100
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:
>
> > There doesn't seem to anything really wrong with the smb.conf,
> > unless you are running a version of Samba from 4.6.0, see here for
> > how to set up idmap now:
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
>
> So that seems to hit it, we run 4.6.11 and still
>
> winbind nss info = rfc2307
>
> That has to be edited if I interpret correctly.
>
> Is that a "dangerous" change? Should it be done with no users
> connected or with all daemons restarted after the change?
>
> thanks, Stefan
>

I wouldn't call it dangerous, but you will have to either reload or
restart the samba daemons, so probably best done when no one is
connected.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
Am 2017-12-04 um 13:55 schrieb Rowland Penny via samba:

> On Mon, 4 Dec 2017 13:41:32 +0100
> "Stefan G. Weichinger via samba" <[hidden email]> wrote:
>
>> Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:
>>
>>> There doesn't seem to anything really wrong with the smb.conf,
>>> unless you are running a version of Samba from 4.6.0, see here for
>>> how to set up idmap now:
>>>
>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>
>> So that seems to hit it, we run 4.6.11 and still
>>
>> winbind nss info = rfc2307
>>
>> That has to be edited if I interpret correctly.
>>
>> Is that a "dangerous" change? Should it be done with no users
>> connected or with all daemons restarted after the change?
>>
>> thanks, Stefan
>>
>
> I wouldn't call it dangerous, but you will have to either reload or
> restart the samba daemons, so probably best done when no one is
> connected.

ok, will do so, thanks.

Do you think that my current mis-config leads to the GID-full-issue as
described? Is there a valid explanation for this? Just curious.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
On Mon, 4 Dec 2017 13:58:55 +0100
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-12-04 um 13:55 schrieb Rowland Penny via samba:
> > On Mon, 4 Dec 2017 13:41:32 +0100
> > "Stefan G. Weichinger via samba" <[hidden email]> wrote:
> >
> >> Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:
> >>
> >>> There doesn't seem to anything really wrong with the smb.conf,
> >>> unless you are running a version of Samba from 4.6.0, see here for
> >>> how to set up idmap now:
> >>>
> >>> https://wiki.samba.org/index.php/Idmap_config_ad
> >>
> >> So that seems to hit it, we run 4.6.11 and still
> >>
> >> winbind nss info = rfc2307
> >>
> >> That has to be edited if I interpret correctly.
> >>
> >> Is that a "dangerous" change? Should it be done with no users
> >> connected or with all daemons restarted after the change?
> >>
> >> thanks, Stefan
> >>
> >
> > I wouldn't call it dangerous, but you will have to either reload or
> > restart the samba daemons, so probably best done when no one is
> > connected.
>
> ok, will do so, thanks.
>
> Do you think that my current mis-config leads to the GID-full-issue
> as described? Is there a valid explanation for this? Just curious.
>

Possibly, if, by using the old config, Samba is ignoring the 'idmap
config DOMAIN' lines and putting everything into the '*' domain, then
you may (probably would) have more than your original set up allowed.
If this fixes it, you have found another bug ;-)
It should work with the old lines.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
On 12/04/2017 02:15 PM, Rowland Penny via samba wrote:

> Possibly, if, by using the old config, Samba is ignoring the 'idmap
> config DOMAIN' lines and putting everything into the '*' domain, then
> you may (probably would) have more than your original set up allowed.
> If this fixes it, you have found another bug ;-)
> It should work with the old lines.

I now changed that parameter, edited the range down to 2000-2999 again
and restarted services. We can connect OK, fine. We test some things now.

Can I somehow check how many of those IDs are used right now?
Somehow monitor if this change fixed it?

Last time it took a week to crash again, I would prefer to be able to
know things earlier.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
Am 2017-12-04 um 18:07 schrieb Stefan G. Weichinger via samba:

> On 12/04/2017 02:15 PM, Rowland Penny via samba wrote:
>
>> Possibly, if, by using the old config, Samba is ignoring the 'idmap
>> config DOMAIN' lines and putting everything into the '*' domain, then
>> you may (probably would) have more than your original set up allowed.
>> If this fixes it, you have found another bug ;-)
>> It should work with the old lines.
>
> I now changed that parameter, edited the range down to 2000-2999 again
> and restarted services. We can connect OK, fine. We test some things now.
>
> Can I somehow check how many of those IDs are used right now?
> Somehow monitor if this change fixed it?
>
> Last time it took a week to crash again, I would prefer to be able to
> know things earlier.

The DM gave up again today. No more gid-related stuff inside the logs,
had to kill the daemons to get the shares up again.

I increased loglevel to 2 and see in

# tail winbindd.log
[2017/12/06 13:12:50.216478,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
  check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)
[2017/12/06 13:12:50.216523,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
  check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)
[2017/12/06 13:12:50.216566,  2]
../auth/kerberos/kerberos_pac.c:96(check_pac_checksum)
  check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)

This is a gentoo linux DM, and their samba-ebuild pulls in mit-krb5 for
samba per default.

Unfortunately that mit-krb5 package is still at 1.14.2 while 1.15.2 is
available.

I assume I should upgrade that and reinstall samba-4.6.11 after?

Could it somehow be the case that the kerberos-ticket between DM and DC
runs out after X hours or so?

Just guessing ...

I also consider downgrading samba to 4.5.15. At another site with about
the same setup we don't face any problems.

Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
Am 2017-12-06 um 13:20 schrieb Stefan G. Weichinger via samba:

> Could it somehow be the case that the kerberos-ticket between DM and DC
> runs out after X hours or so?
>
> Just guessing ...

found this thread

https://lists.samba.org/archive/samba/2017-October/211476.html

sounds quite similar

-

klist showed no Kerberos ticket, did a kinit ... dunno?

I also see this:

# tail  log.wb-ARBEITSGRUPPE
[2017/12/06 13:49:22.905348,  1]
../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
  Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT

hmm

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list

Did dbcheck on DC. 257 errors for 372 objects.
Jeez. Why? Where does that come from?

From some updating? I am quite sure that I ran those checks back when I
converted the domain and wouldn't have skipped these errors IMO.

example:

CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at: 0x00000000
ERROR: unsorted attributeID values in replPropertyMetaData on
CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at

Not fixing replPropertyMetaData on
CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at

I see that there is a "--fix" option.
Any backups I should run before? Do it without clients connected?

pls advise

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
Am 2017-12-06 um 15:03 schrieb Stefan G. Weichinger via samba:

>
> Did dbcheck on DC. 257 errors for 372 objects.
> Jeez. Why? Where does that come from?
>
> From some updating? I am quite sure that I ran those checks back when I
> converted the domain and wouldn't have skipped these errors IMO.
>
> example:
>
> CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at: 0x00000000
> ERROR: unsorted attributeID values in replPropertyMetaData on
> CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at
>
> Not fixing replPropertyMetaData on
> CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at
>
> I see that there is a "--fix" option.
> Any backups I should run before? Do it without clients connected?

fixed those last week already : done

today again these lines on the DM server:


# tail  log.winbindd-idmap
[2017/12/12 15:40:40.200201,  1]
../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
  Error allocating a new GID
[2017/12/12 15:55:55.186605,  1]
../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action)
  Fatal Error: GID range full!! (max: 2999)
[2017/12/12 15:55:55.186630,  1]
../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
  Error allocating a new GID
[2017/12/12 15:55:55.186723,  1]
../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action)
  Fatal Error: GID range full!! (max: 2999)
[2017/12/12 15:55:55.186736,  1]
../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
  Error allocating a new GID


for reference: Samba 4.6.11, gentoo linux






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
Am 2017-12-12 um 15:59 schrieb Stefan G. Weichinger via samba:

> [2017/12/12 15:55:55.186723,  1]
> ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action)
>   Fatal Error: GID range full!! (max: 2999)
> [2017/12/12 15:55:55.186736,  1]
> ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
>   Error allocating a new GID
>
> for reference: Samba 4.6.11, gentoo linux

Additional info, maybe relevant:

on the DC I saw yesterday:

Dez 11 20:00:16 backup winbindd[1390]: [2017/12/11 20:00:16.560037,  0]
../source3/winbindd/winbindd_group.c:45(fill_grent)
Dez 11 20:00:16 backup winbindd[1390]:   Failed to find domain 'NT
AUTHORITY'. Check connection to trusted domains!


This line repeated within seconds after reboot (reconnect with DM?),
after that no more.


DC, samba 4.6.11, debian 9.3 (LPH packages):

# smb.conf (again):

[global]
        workgroup = ARBEITSGRUPPE
        realm = arbeitsgruppe.hidden.tld
        netbios name = BACKUP
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
    dns forwarder = 10.0.0.254

[netlogon]
        path = /var/lib/samba/sysvol/hidden.tld/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list

DM crashed again.

I will downgrade to 4.5.15 later this day, as this release works without
problems at another customer.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
In reply to this post by Samba - General mailing list

DM crashed again.

I will downgrade to 4.5.15 later this day, as this release works without
problems at another customer.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: GID range full!!

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-12-12 um 16:42 schrieb Stefan G. Weichinger via samba:

> Additional info, maybe relevant:
>
> on the DC I saw yesterday:
>
> Dez 11 20:00:16 backup winbindd[1390]: [2017/12/11 20:00:16.560037,  0]
> ../source3/winbindd/winbindd_group.c:45(fill_grent)
> Dez 11 20:00:16 backup winbindd[1390]:   Failed to find domain 'NT
> AUTHORITY'. Check connection to trusted domains!

As I found on google this is related to the fact that we run (small
shares ... ) file services on the DC as well. I assume I can ignore
these lines on the DC?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba