I have unable to process any Domain Logins of any type on OpenSuse Leap 15.3. I get an invalid SID error. This has been isolated to just one of my Domain Controllers. Unfortunately, its my Primary Domain Controller. Basically normal Samba and Domain AD Logins fail with NT_STATUS_INVALID_SID A Bug report has been opened at: https://bugzilla.samba.org/show_bug.cgi?id=15079 Kerberos KDC and LDAP functionality still works, but not much else does. I believe that some sort of corruption has entered the database. My other two DCs are unaffected. Please review the errors in the bug reports and advise.
On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:> I have unable to process any Domain Logins of any type on OpenSuse > Leap > 15.3. I get an invalid SID error. > This has been isolated to just one of my Domain Controllers. > Unfortunately, its my Primary Domain Controller. > > Basically normal Samba and Domain AD Logins fail with > > NT_STATUS_INVALID_SID > > A Bug report has been opened at: > > https://bugzilla.samba.org/show_bug.cgi?id=15079 > > Kerberos KDC and LDAP functionality still works, but not much else > does. I believe that some sort of corruption has entered the > database. > My other two DCs are unaffected. Please review the errors in the bug > reports and advise.Please provide the output from 'testparm -s' as requested. Also, you do not have a primary DC, you just have a DC that holds the FSMO roles including the PDC_Emulator. If you have a problem with just one DC, then demote it and add a new one, even if it is the DC holding the FSMO roles. Rowland
Jumping back to the top of this chain again, as it has gone down various ratholes. On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:> I have unable to process any Domain Logins of any type on OpenSuse > Leap > 15.3. I get an invalid SID error. > This has been isolated to just one of my Domain Controllers. > Unfortunately, its my Primary Domain Controller. > > Basically normal Samba and Domain AD Logins fail with > > NT_STATUS_INVALID_SIDSo, what I would say is that idmap.ldb is not syncronised so this might explain that being on just one DC. Digging into this may show what the issue is there, otherwise just build a new DC. (these can/should be VMs). As you have been using Samba as a fileserver also, you will need to take care that any new DC or if you removed idmap.ldb to have it rebuilt will change the IDMAP, eg the effective owner of files. Personally I suspect that file may have been edited or damaged. This is why we suggest separation, so traditional Samba fileserver rules can be used to manage idmap, as that is more suitable (IDMAP management in the AD DC is poor). We have already determined that while there is an odd DN in the DB, it isn't fatal, just exposes a less-than-ideal behaviour in dbcheck. Within your physical constraints, do please try to follow our deployment recommendations, it will help us help you. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Zombie Ryushu
2022-Jun-05  03:11 UTC
[Samba] Bind creates a situation where SSSD Crashes du to samba_dnsupdate
?We WERE able to get Kerberized Bind Zone Updates working for the very first time. ?(GSS-TSIG) What this means is that samba_dnsupdate -actually works- just with straight Bind. ?That's had a bad secondary effect. Samba injects a record that looks like: ?pukey IN A 192.168.0.4 into Bind. This crashes SSSD with an Assertion failure. How do I remove this a DNS entry from Samba?