samba - Jan 2022 - Problem on Windows AD Member based on Ubuntu with Samba 4.13.14

Hi,

A recent security update to 4.13.14 seems to have broken our Windows AD
member server in some way.

We're experiencing some weird behaviour on the Samba network shares (files
that are deleted reappear again after a refresh), the logs are full of
errors of the following kind:

log.smbd
------------

[2022/01/11 14:42:56.187773,  0]
../../source3/auth/auth_util.c:1913(check_account)
  check_account: Failed to convert SID
S-1-5-21-914846004-123456789-3175952047-1112 to a UID
(dom_user[HQ\computer1$])

log.wb-FS1 (FS1 = the member server)
-----------------------------

[2021/11/30 00:46:03.474847,  0]
../../source3/winbindd/winbindd.c:247(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)
[2021/11/30 00:50:18.821399,  0]
../../source3/winbindd/winbindd_cm.c:1873(wb_open_internal_pipe)
  open_internal_pipe: Could not connect to dssetup pipe:
NT_STATUS_RPC_INTERFACE_NOT_FOUND
[2021/11/30 00:50:18.878596,  0]
../../source3/rpc_server/rpc_ncacn_np.c:454(rpcint_dispatch)
  rpcint_dispatch: DCE/RPC fault in call lsarpc:2E -
DCERPC_NCA_S_OP_RNG_ERROR

I read through some of the threads in the list of the last couple months
and saw that it seems necessary to have the instruction "min domain uid
0" in the global section of smb.conf. We're still experiencing errors
in
the logs after this change.

Further, in the bug https://bugzilla.samba.org/show_bug.cgi?id=14901, it
states that a username mapping script should be created. I created the file
username_map_script.sh in /etc/samba but in log.smbd it is stated that the
file cannot be accessed (permission denied). Before, I used to work with a
username mapping file which is also readable only by root which wasn't a
problem so I'm not sure why samba cannot access or run this script.

Grateful for any advice on how to solve this.

Viktor

smb.conf
-------------

[global]
   workgroup = HQ
   security = ADS
   realm = HQ.EXAMPLE.COM

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config HQ:backend = ad
   idmap config HQ:schema_mode = rfc2307
   idmap config HQ:range = 10000-999999
   idmap config HQ:unix_nss_info = yes

   username map = /etc/samba/user.map
   username map script = /etc/samba/username_map_script.sh

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   winbind refresh tickets = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   min domain uid = 0

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   # Template settings for login shell and home directory
   template shell = /bin/bash
   template homedir = /home/%U


[Share1]
        path = /srv/samba/HQ/software
        read only = no

Not sure why I'm getting no replies on this. Did I miss something obvious?

On Tue, 11 Jan 2022 at 15:17, Viktor Trojanovic <viktor at troja.ch>
wrote:
> Hi,
>
> A recent security update to 4.13.14 seems to have broken our Windows AD
> member server in some way.
>
> We're experiencing some weird behaviour on the Samba network shares
(files
> that are deleted reappear again after a refresh), the logs are full of
> errors of the following kind:
>
> log.smbd
> ------------
>
> [2022/01/11 14:42:56.187773,  0]
> ../../source3/auth/auth_util.c:1913(check_account)
>   check_account: Failed to convert SID
> S-1-5-21-914846004-123456789-3175952047-1112 to a UID
> (dom_user[HQ\computer1$])
>
> log.wb-FS1 (FS1 = the member server)
> -----------------------------
>
> [2021/11/30 00:46:03.474847,  0]
> ../../source3/winbindd/winbindd.c:247(winbindd_sig_term_handler)
>   Got sig[15] terminate (is_parent=0)
> [2021/11/30 00:50:18.821399,  0]
> ../../source3/winbindd/winbindd_cm.c:1873(wb_open_internal_pipe)
>   open_internal_pipe: Could not connect to dssetup pipe:
> NT_STATUS_RPC_INTERFACE_NOT_FOUND
> [2021/11/30 00:50:18.878596,  0]
> ../../source3/rpc_server/rpc_ncacn_np.c:454(rpcint_dispatch)
>   rpcint_dispatch: DCE/RPC fault in call lsarpc:2E -
> DCERPC_NCA_S_OP_RNG_ERROR
>
> I read through some of the threads in the list of the last couple months
> and saw that it seems necessary to have the instruction "min domain
uid > 0" in the global section of smb.conf. We're still experiencing
errors in
> the logs after this change.
>
> Further, in the bug https://bugzilla.samba.org/show_bug.cgi?id=14901, it
> states that a username mapping script should be created. I created the file
> username_map_script.sh in /etc/samba but in log.smbd it is stated that the
> file cannot be accessed (permission denied). Before, I used to work with a
> username mapping file which is also readable only by root which wasn't
a
> problem so I'm not sure why samba cannot access or run this script.
>
> Grateful for any advice on how to solve this.
>
> Viktor
>
> smb.conf
> -------------
>
> [global]
>    workgroup = HQ
>    security = ADS
>    realm = HQ.EXAMPLE.COM
>
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
>
>    idmap config HQ:backend = ad
>    idmap config HQ:schema_mode = rfc2307
>    idmap config HQ:range = 10000-999999
>    idmap config HQ:unix_nss_info = yes
>
>    username map = /etc/samba/user.map
>    username map script = /etc/samba/username_map_script.sh
>
>    vfs objects = acl_xattr
>    map acl inherit = yes
>    store dos attributes = yes
>    winbind refresh tickets = Yes
>
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    min domain uid = 0
>
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>
>    # Template settings for login shell and home directory
>    template shell = /bin/bash
>    template homedir = /home/%U
>
>
> [Share1]
>         path = /srv/samba/HQ/software
>         read only = no
>
>