Windows Active Directory 用户的 UID 似乎已在存储主机 passwd 上被覆盖

tag-icon tag-icon active-directory samba winbind uid
Windows Active Directory 用户的 UID 似乎已在存储主机 passwd 上被覆盖

我遇到了一个令我头疼的问题,我不知道需要在哪里启用更深层次的日志记录来找到问题的根源。

我们有第三方设备,我们确实拥有 root ssh 访问权限以进行管理。

我们已经在备份服务器上运行了一段时间,但现在我们已切换回此存储服务器,开始从头开始建立良好的存储实践。

AD:运行 AD 和 DNS 的 Windows Server 2016 域:vfx.int 用户:freezer UID:100000005 GID:100000024

设备 Linux 版本:

Linux elementsone 3.10.0-1062.el7.x86_64 #1 SMP 2019 年 8 月 7 日星期三 18:08:02 UTC x86_64 x86_64 x86_64 GNU/Linux 我相信那是 CentOS7

smb.conf LDAP 配置:

workgroup=VFX
server string=ELEMENTS SMB
log file=/var/log/samba/log.%m
max log size=5000
realm=VFX.INT
security=ads
lanman auth=yes
domain master=no
local master=no
prefered master=no
idmap config * : backend=tdb2
idmap config * : range=1000000-99999999
idmap config VFX : backend=ad
idmap config VFX : unix_primary_group=yes
idmap config VFX : schema_mode=rfc2307
idmap config VFX : range=100000005-1999999999
template shell=/bin/bash
winbind offline logon=false
winbind separator=+
winbind enum users=yes
winbind enum groups=yes
winbind use default domain=no
winbind nested groups=yes
winbind expand groups=5
winbind refresh tickets=yes
allow trusted domains=yes
passdb backend=tdbsam
load printers=no
printing=bsd
printcap name=/dev/null
map to guest=bad user
enable core files=no
ntlm auth=yes
server signing=disabled
client signing=disabled
min protocol=smb2_10
max protocol=smb3
nt acl support=no
max xmit=1048576
block size=4096
aio read size=1
aio write size=1
map system=no
map archive=no
map read only=no
dns proxy=no
wins proxy=no
hide dot files=yes
case sensitive=yes

AD 中受影响的用户的 UID 为 100000005

此问题之前在系统上可见:

 root ~   $ getent passwd
VFX+freezer:*:10000000:100000024:Freezer:/home/VFX/freezer:/bin/bash
 root ~   $ id vfx+freezer                                                                                                                                
uid=10000000(VFX+freezer) gid=100000024(VFX+freezers) groups=100000024(VFX+freezers)
 root ~   $ getent passwd 100000005                                                                                                              
VFX+freezer:*:10000000:100000024:Freezer:/home/VFX/freezer:/bin/bash

尝试将其解除模式,并将其更改为正确的 UID:

 root ~   $ usermod -u 100000005 VFX+Freezer                                                                                                                usermod: UID '100000005' already exists

那么我们发现这个之后我做了什么呢:

从 webui 中删除用户(系统有一个 webui)使用 userdel 从命令行删除用户不起作用,总是有进程正在使用中。

我运行了以下序列:

systemctl stop sernet-samba-smbd;
systemctl stop sernet-samba-winbindd;
systemctl stop nscd
rm /var/lib/samba/*.tdb;
net cache flush;
systemctl start nscd
systemctl start sernet-samba-smbd;
systemctl start sernet-samba-winbindd;

此后,我进行了 UID 检查:

root ~   $ getent passwd vfx+Freezer                                                                                                                                                                                                        VFX+freezer:*:100000005:100000024:Freezer:/home/VFX/freezer:/bin/bash
root ~   $ id vfx+freezer                                                                                                                                                                                                                   uid=100000005(VFX+freezer) gid=100000024(VFX+freezers) groups=100000024(VFX+freezers)
root ~   $ getent passwd 100000005                                                                                                                                                                                                          VFX+freezer:*:100000005:100000024:Freezer:/home/VFX/freezer:/bin/bash

昨天早上我的同事检查了一下,结果如下:

root~ $ id vfx+freezerelementsone
uid=10000000(VFX+freezer) gid=100000024(VFX+freezers) groups=100000024(VFX+freezers)

回到原点?

我检查了以下日志:消息审计日志 smb 日志

我只能找到这些参考资料:

Jan 30 21:00:43 elementsone elements-webui[15894]: [INFO]  [audit]  Deleted user [email protected] ip=10.212.134.105 http_fingerprint=d834046e33502e6892901f86004a4401fab5969372ebb1a965a8e6e404b5d7527ac9af5764bd049bd6e36cf0a0f455c537664ac04301d3c741bf8aea0d9528e0 username=root user_id=1 session=24f8c1e7f50d718fa5d808643e3ce9c6463cf3f0535606664e7ac62bde52a120a45c8e1a227c9d19dbada7e44fffaa2de29775f678871c07ac8183ac8978b834 api=deleteUser url=/api/2/users/7
Jan 30 21:00:44 elementsone nscd: 30580 monitored file `/etc/passwd` was moved into place, adding watch
Jan 30 21:00:44 elementsone nscd: 30580 monitored file `/etc/group` was moved into place, adding watch
Jan 30 21:00:44 elementsone systemd: Reloading Samba SMB Daemon.
Jan 30 21:00:44 elementsone systemd: Reloaded Samba SMB Daemon.

这是我删除用户

和:

Jan 31 09:34:05 elementsone elements-webui[23682]: [INFO]  [audit]  Auth result: authenticated as root ip=192.168.29.49 http_fingerprint=b636a21951c20d515693b271313ecb7d0d45972c27f16d77134ed3ead003034855cedec2bc941929f2c575f7a6431160500875603d86d8cc456aa8964ed924b2 session=40cf833271af24b469de123f839d092604167f81f087c7a5356f833f545a6fb8ef389afe1e781cc985c337f28d4ca67d7f313b214e80b62364e3b37d7a0492f9 api=login url=/api/2/auth/login
Jan 31 09:34:05 elementsone elements-webui[23682]: [INFO]  [audit]  Starting task: private.apply_user_password(user_id=1, _context={'name': '', 'initiator_user_id': None, 'initiator_workstation_id': None, 'initiator_subtask_id': None, 'initiator_schedule_id': None, 'initiator_event_id': None, 'job_instance_id': None, 'security_context_user_id': None, 'timeout': None, 'dont_save': False, 'noop_dont_save': False, 'success_dont_save': True, 'no_concurrency': False, 'log_variable': False, 'queue': None, 'enqueue_at_front': False, 'vars': {}}) ip=192.168.29.49 http_fingerprint=b636a21951c20d515693b271313ecb7d0d45972c27f16d77134ed3ead003034855cedec2bc941929f2c575f7a6431160500875603d86d8cc456aa8964ed924b2 session=40cf833271af24b469de123f839d092604167f81f087c7a5356f833f545a6fb8ef389afe1e781cc985c337f28d4ca67d7f313b214e80b62364e3b37d7a0492f9 api=login url=/api/2/auth/login
Jan 31 09:34:51 elementsone elements-webui[12241]: [INFO]  [audit]  LDAP sync adds a new user [email protected] to [email protected] ip=192.168.29.49 http_fingerprint=b636a21951c20d515693b271313ecb7d0d45972c27f16d77134ed3ead003034855cedec2bc941929f2c575f7a6431160500875603d86d8cc456aa8964ed924b2 username=root user_id=1 session=f18696c407fb8c58318a61011c8cd81a6cc25410b6e1a01a8ab866b215dacc65dd403fe26ed47684fbf278fbffea6dac19e0ec32d172cf2bc494c760ecb2b8f8 api=syncLDAPGroup url=/api/2/groups/23/ldap-sync
Jan 31 09:34:51 elementsone elements-webui[12241]: [INFO]  [audit]  Added permission for [email protected]: client:access ip=192.168.29.49 http_fingerprint=b636a21951c20d515693b271313ecb7d0d45972c27f16d77134ed3ead003034855cedec2bc941929f2c575f7a6431160500875603d86d8cc456aa8964ed924b2 username=root user_id=1 session=f18696c407fb8c58318a61011c8cd81a6cc25410b6e1a01a8ab866b215dacc65dd403fe26ed47684fbf278fbffea6dac19e0ec32d172cf2bc494c760ecb2b8f8 api=syncLDAPGroup url=/api/2/groups/23/ldap-sync
Jan 31 09:34:51 elementsone elements-webui[12241]: [INFO]  [audit]  Created user [email protected] ip=192.168.29.49 http_fingerprint=b636a21951c20d515693b271313ecb7d0d45972c27f16d77134ed3ead003034855cedec2bc941929f2c575f7a6431160500875603d86d8cc456aa8964ed924b2 username=root user_id=1 session=f18696c407fb8c58318a61011c8cd81a6cc25410b6e1a01a8ab866b215dacc65dd403fe26ed47684fbf278fbffea6dac19e0ec32d172cf2bc494c760ecb2b8f8 api=syncLDAPGroup url=/api/2/groups/23/ldap-sync
Jan 31 09:34:52 elementsone nscd: 28546 monitored file `/etc/passwd` was moved into place, adding watch
Jan 31 09:34:52 elementsone nscd: 28546 monitored file `/etc/group` was moved into place, adding watch
Jan 31 09:34:53 elementsone systemd: Reloading Samba SMB Daemon.
Jan 31 09:34:53 elementsone systemd: Reloaded Samba SMB Daemon.

这是我的同事对 UID 进行检查之后发生的,所以这与我们再次更改 UID 无关。

看起来好像它以某种方式将用户应用为非域用户?我没有在清理后明确添加用户,这会导致这种情况吗?即便如此,系统仍然乐于在清理后检查 UID,如果添加了用户,它应该从 AD 中提取正确的 UID。

系统发现该号码上已有另一个 UID 在使用,这让我很困惑。

有人知道我可以启用哪种日志来深入了解谁设置了 UID 为 10000000 而不是 100000005 的用户吗?或者有人见过这样的问题并知道解决办法吗?

更新 06-20-2023 UID /GID 更改示例:

 root ~   $ elementsone is VFX+freezeri VFX+freezer id VFX+freezer
uid=10000000(VFX+freezer) gid=100000024(VFX+freezers) groups=100000024(VFX+freezers)
 root ~   $ elementsone net cache flush
 root ~   $ elementsone id VFX+freezer
uid=100000005(VFX+freezer) gid=100000024(VFX+freezers) groups=100000024(VFX+freezers)
 root ~   $ elementsone id VFX+freezer
uid=10000000(VFX+freezer) gid=100000024(VFX+freezers) groups=100000024(VFX+freezers)
 root ~   $ elementsone id VFX+freezer
uid=10000000(VFX+freezer) gid=100000024(VFX+freezers) groups=100000024(VFX+freezers)
 root ~   $ elementsone

此示例显示,在刷新之后,它会被正确识别,但几秒钟后,错误的它会被推送到缓存中。

比较正确的 UID 和“已保存”的 UID,结果显示用户以某种方式被推送到 idmap * 组,而不是域。是否有设置可能错误或缺失?

网络缓存日志中的附加信息显示了混淆,有人知道如何追溯到来源吗?

Key: IDMAP/UID2SID/10000000      Timeout: Thu Feb  9 21:26:52 2023       Value: S-1-5-21-3125647252-293200167-3195640431-1607
Key: IDMAP/GID2SID/60051         Timeout: Thu Feb  2 21:28:51 2023       Value: -  (expired)
Key: IDMAP/SID2XID/S-1-5-21-3125647252-293200167-3195640431-1632         Timeout: Thu Feb  9 21:26:48 2023       Value: 100000015:U
Key: SAF/DOMAIN/VFX.INT  Timeout: 14:09:24       Value: dc2.vfx.int  (expired)
Key: SID2NAME/S-1-5-21-3125647252-293200167-3195640431-1632      Timeout: 05:07:12       Value: VFX\president (1)  (expired)
Key: RA/fa506325-a3ca-11ed-9831-78e7d1f9d7fc     Timeout: Fri Feb 10 16:06:45 2023       Value: Vista
Key: IDMAP/SID2XID/S-1-5-21-3125647252-293200167-3195640431-1779         Timeout: 13:56:24       Value: -1:N  (expired)
Key: RA/f5e7d180-2234-9456-b2f6-86348565d8bd     Timeout: Mon Feb 13 10:55:38 2023       Value: OSX
Key: IDMAP/UID2SID/100000005     Timeout: Thu Feb  9 21:26:45 2023       Value: S-1-5-21-3125647252-293200167-3195640431-1607

我希望所有相关信息和测试都在这里,否则请询问!(是的,我也在与家电制造商合作,但我感觉他们在这个问题上也力不从心,排队吧,你们 ;)

相关内容