GID range full!!

>
> Twice this week I had a Domain Member Server "crash"
>
> A week ago I saw errors like this in log.winbindd-idmap:
>
> [2017/11/27 11:25:02.768090,  1]
> ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
>   Error allocating a new GID
> [2017/11/27 11:25:02.768213,  1]
> ../source3/winbindd/idmap_tdb_common.c:68(idmap_tdb_common_allocate_id_action)
>   Fatal Error: GID range full!! (max: 2999)
>
> I increased this from 2999 to 9999:
>
> idmap config arbeitsgruppe:schema_mode = rfc2307
> idmap config arbeitsgruppe:range = 10000-9999999
> idmap config arbeitsgruppe:backend = ad
> idmap config * : range = 2000-9999
> idmap config * : backend = tdb
>
> and restarted smbd/nmbd/winbindd
>
> Today it crashed again, but without those lines:
>
> [2017/11/27 11:25:02.768228,  1]
> ../source3/winbindd/idmap_tdb_common.c:140(idmap_tdb_common_allocate_id)
>   Error allocating a new GID
> [2017/11/27 11:26:43.632040,  1]
> ../source3/winbindd/winbindd.c:396(winbindd_sig_hup_handler)
>   Reloading services after SIGHUP
> [2017/12/04 11:50:31.642817,  0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>   Got sig[15] terminate (is_parent=0)
> [2017/12/04 11:51:50.973272,  0]
> ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>   Got sig[15] terminate (is_parent=0)
>
> Samba-4.6.11 btw
>
> Hmm.
>
> What does samba need >3000 IDs for, when we have around 40 users and
> maybe 15 groups in ADS there?
>
> Can someone explain?
>
> How to maybe clean that up, get rid of wrong ids or whatever is
> needed here?
>

> Am 2017-12-04 um 12:42 schrieb Rowland Penny:
>
> > II take it that 'arbeitsgruppe' is the workgroup name, it should be
> > 'ARBEITSGRUPPE' in the 'idmap config' lines.
>
> The output of testparm shows them lowercase, smb.conf has it in
> uppercase:
>
> [global]
>         security = ADS
>         workgroup = ARBEITSGRUPPE
>         realm = arbeitsgruppe.hidden.tld
>         log file = /var/log/samba/%m.log
>         log level = 1
>
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>
>         idmap config ARBEITSGRUPPE:backend = ad
>         idmap config ARBEITSGRUPPE:range = 10000-9999999
>         idmap config ARBEITSGRUPPE:schema_mode = rfc2307
>
>         username map = /etc/samba/user.map
>
>         winbind use default domain = Yes
>         winbind refresh tickets = Yes
>         winbind nss info = rfc2307
>
>         load printers = No
>         printcap name = /dev/null
>
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
> > The '*' range is used to store the Well Known SIDs and anything
> > outside the 'arbeitsgruppe' domain, 7999 IDs is more than enough
> > for this, in fact 999 IDs should have been enough, there are less
> > than 200 Well Known SIDs.
> > Your 'arbeitsgruppe' domain members should fit into 9989999 IDs
> >
> > I suspect that either your domain computers are not in fact domain
> > computers, or something is badly mis-configured.
>
> Well, I come back here to ask how to do things and configure DC and DM
> for over a year now. We discussed the config in various threads and I
> always follow your suggestions and the docs as good as I can and
> understand.
>
> Same this time. *I* don't know what is wrong or might be wrong.
>
> You suggest the domain computers might not be what they should be:
> domain computers. You mean, the windows PCs might be not joined
> correctly?

> Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:
>
> > There doesn't seem to anything really wrong with the smb.conf,
> > unless you are running a version of Samba from 4.6.0, see here for
> > how to set up idmap now:
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
>
> So that seems to hit it, we run 4.6.11 and still
>
> winbind nss info = rfc2307
>
> That has to be edited if I interpret correctly.
>
> Is that a "dangerous" change? Should it be done with no users
> connected or with all daemons restarted after the change?
>
> thanks, Stefan
>

> On Mon, 4 Dec 2017 13:41:32 +0100
> "Stefan G. Weichinger via samba" <[hidden email]> wrote:
>
>> Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:
>>
>>> There doesn't seem to anything really wrong with the smb.conf,
>>> unless you are running a version of Samba from 4.6.0, see here for
>>> how to set up idmap now:
>>>
>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>
>> So that seems to hit it, we run 4.6.11 and still
>>
>> winbind nss info = rfc2307
>>
>> That has to be edited if I interpret correctly.
>>
>> Is that a "dangerous" change? Should it be done with no users
>> connected or with all daemons restarted after the change?
>>
>> thanks, Stefan
>>
>
> I wouldn't call it dangerous, but you will have to either reload or
> restart the samba daemons, so probably best done when no one is
> connected.

> Am 2017-12-04 um 13:55 schrieb Rowland Penny via samba:
> > On Mon, 4 Dec 2017 13:41:32 +0100
> > "Stefan G. Weichinger via samba" <[hidden email]> wrote:
> >
> >> Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:
> >>
> >>> There doesn't seem to anything really wrong with the smb.conf,
> >>> unless you are running a version of Samba from 4.6.0, see here for
> >>> how to set up idmap now:
> >>>
> >>> https://wiki.samba.org/index.php/Idmap_config_ad
> >>
> >> So that seems to hit it, we run 4.6.11 and still
> >>
> >> winbind nss info = rfc2307
> >>
> >> That has to be edited if I interpret correctly.
> >>
> >> Is that a "dangerous" change? Should it be done with no users
> >> connected or with all daemons restarted after the change?
> >>
> >> thanks, Stefan
> >>
> >
> > I wouldn't call it dangerous, but you will have to either reload or
> > restart the samba daemons, so probably best done when no one is
> > connected.
>
> ok, will do so, thanks.
>
> Do you think that my current mis-config leads to the GID-full-issue
> as described? Is there a valid explanation for this? Just curious.
>

> On 12/04/2017 02:15 PM, Rowland Penny via samba wrote:
>
>> Possibly, if, by using the old config, Samba is ignoring the 'idmap
>> config DOMAIN' lines and putting everything into the '*' domain, then
>> you may (probably would) have more than your original set up allowed.
>> If this fixes it, you have found another bug ;-)
>> It should work with the old lines.
>
> I now changed that parameter, edited the range down to 2000-2999 again
> and restarted services. We can connect OK, fine. We test some things now.
>
> Can I somehow check how many of those IDs are used right now?
> Somehow monitor if this change fixed it?
>
> Last time it took a week to crash again, I would prefer to be able to
> know things earlier.

>
> Did dbcheck on DC. 257 errors for 372 objects.
> Jeez. Why? Where does that come from?
>
> From some updating? I am quite sure that I ran those checks back when I
> converted the domain and wouldn't have skipped these errors IMO.
>
> example:
>
> CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at: 0x00000000
> ERROR: unsorted attributeID values in replPropertyMetaData on
> CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at
>
> Not fixing replPropertyMetaData on
> CN=mitarbeiter,CN=Users,DC=arbeitsgruppe,DC=hiddentld,DC=at
>
> I see that there is a "--fix" option.
> Any backups I should run before? Do it without clients connected?