Bug 42819 - samba4-idmap.py listener doesn't initialize idmap.ldb metadata when file has been deleted.
samba4-idmap.py listener doesn't initialize idmap.ldb metadata when file has ...
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Arvid Requate
Stefan Gohmann
: interim-2
Depends on: 40511
  Show dependency treegraph
Reported: 2016-11-02 14:54 CET by Arvid Requate
Modified: 2017-04-04 18:29 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.011
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016103121000363
Bug group (optional):
Max CVSS v3 score:

initialize_idmap.patch (1.57 KB, patch)
2016-11-02 14:54 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-11-02 14:54:52 CET
Created attachment 8179 [details]

The samba4-idmap.py listener currently doesn't check if the idmap.ldb is properly initialized. In re-joining scenarios we often remove the idmap.ldb and then let the listener re-fill it. But then these basic metadata objects are missing:

cat /usr/share/samba/setup/idmap_init.ldif 
lowerBound: 3000000
upperBound: 4000000

@IDXATTR: xidNumber
@IDXATTR: objectSid

As a consequence, winbind cannot dynamically allocate any xidNumber (UIDs/GIDs) for accounts that for some reason do not have a proper idmap entry yet (e.g. due to Bug 36570).

The attached patch fixes this by calling samba.provision.setup_idmapdb() in case the file doesn't exist during open. Untested.
Comment 1 Stefan Gohmann univentionstaff 2016-12-13 08:10:37 CET
The Enterprise Customer affected flag is set but neither a Ticket number is referenced nor a Customer ID is set. Please set a Ticket number or a Customer ID. Otherwise the Enterprise Customer affected flag will be reset.
Comment 2 Arvid Requate univentionstaff 2017-02-15 19:13:16 CET
I've applied an improved version of the patch.
Package rebuilt and changelog adjusted.

Package: univention-samba4
Version: 6.0.9-4A~
Branch: ucs_4.2-0


univention-directory-listener-ctrl samba4-idmap resync
ldbsearch -H /var/lib/samba/private/idmap.ldb CN=CONFIG
ldbsearch -H /var/lib/samba/private/idmap.ldb -b "@INDEXLIST" -s base

rm /var/lib/samba/private/idmap.ldb
service univention-directory-listener stop
univention-directory-listener-ctrl samba4-idmap resync
ldbsearch -H /var/lib/samba/private/idmap.ldb CN=CONFIG
ldbsearch -H /var/lib/samba/private/idmap.ldb -b "@INDEXLIST" -s base
Comment 3 Stefan Gohmann univentionstaff 2017-02-24 07:11:30 CET
Tests: OK, it the entries are available after rejoining the system.

Code review: OK (r76714)

Changelog: OK
Comment 4 Stefan Gohmann univentionstaff 2017-04-04 18:29:15 CEST
UCS 4.2 has been released:

If this error occurs again, please use "Clone This Bug".