samba - Dec 2022 - Samba 4.17.2 and winbind issues

I was using Samba 4.16, all was ok.
My clustered Samba is joined to AD domain, all was working.
By mistake I updated servers to Samba 4.17.2
Now, just on winbind start, I'm receiving this:

[root at fs01 samba]# net ads testjoin
Join is OK
Dec 07 16:41:30 fs01.ams.optiva.com winbindd[82557]: [2022/12/07
16:41:30.246099,  1]
../../source3/rpc_client/cli_pipe.c:550(cli_pipe_validate_current_pdu)
Dec 07 16:41:30 fs01.ams.optiva.com winbindd[82557]:
../../source3/rpc_client/cli_pipe.c:550: RPC fault code
DCERPC_NCA_S_OP_RNG_ERROR received from host fs01!
Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]: [2022/12/07
16:41:33.313098,  1]
../../source3/winbindd/wb_queryuser.c:402(wb_queryuser_got_gid)
Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   Returning
NT_STATUS_NO_SUCH_USER
Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   xid.type must be
ID_TYPE_UID or ID_TYPE_BOTH.
Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]: [2022/12/07
16:41:33.313194,  1]
../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   Could not convert
sid S-1-5-21-76667877-53546716-1882380502-1000: NT_STATUS_NO_SUCH_USER

In general wbinfo -u and -g working.
id too:
[root at fs01 samba]# id "XXX\lszczepa"
uid=25360(XXX\lszczepa) gid=1315200513(XXX\domain users)
groups=1315200513(XXX\domain users),25360(XXX\lszczepa)

[root at fs01 samba]# net conf list
[global]
        logging = syslog
        log level = 1
        clustering = yes
        security = ads
        realm = XXX.YYY.ZZZ
        map acl inherit = yes
        workgroup = XXX
        kerberos method = secrets and keytab
        idmap config * : range = 1000-7999
        idmap config * : backend = tdb
        ctdb:registry.tdb = yes
        netbios name = FS
        idmap config XXX: range = 100000-1999999999
        idmap config XXX: backend = rid


[symptoms]
        read only = no
        inherit acls = yes
        guest ok = no
        browseable = yes
        path = /mnt/glusterfs/symptoms/

[root at fs01 samba]# smbclient ////localhost//symptoms -U lszczepa
Password for [XXX\lszczepa]:
do_connect: Connection to  failed (Error NT_STATUS_NOT_FOUND)

Because of this, I cannot login to the samba share using AD credentials :(

What is this S-1-5-21-76667877-53546716-1882380502-1000 ??
Actually, my user on this machine has uid=1000 and gid=1000
But I think it has nothing to do with that.
-- 
Leszek A. Szczepanowski
twinsen at mspanc.net

On 07/12/2022 16:00, Leszek Szczepanowski via samba
wrote:
> I was using Samba 4.16, all was ok.
> My clustered Samba is joined to AD domain, all was working.
> By mistake I updated servers to Samba 4.17.2
> Now, just on winbind start, I'm receiving this:
> 
> [root at fs01 samba]# net ads testjoin
> Join is OK
> Dec 07 16:41:30 fs01.ams.optiva.com winbindd[82557]: [2022/12/07
> 16:41:30.246099,  1]
> ../../source3/rpc_client/cli_pipe.c:550(cli_pipe_validate_current_pdu)
> Dec 07 16:41:30 fs01.ams.optiva.com winbindd[82557]:
> ../../source3/rpc_client/cli_pipe.c:550: RPC fault code
> DCERPC_NCA_S_OP_RNG_ERROR received from host fs01!
> Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]: [2022/12/07
> 16:41:33.313098,  1]
> ../../source3/winbindd/wb_queryuser.c:402(wb_queryuser_got_gid)
> Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   Returning
> NT_STATUS_NO_SUCH_USER
> Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   xid.type must be
> ID_TYPE_UID or ID_TYPE_BOTH.
> Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]: [2022/12/07
> 16:41:33.313194,  1]
> ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
> Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   Could not convert
> sid S-1-5-21-76667877-53546716-1882380502-1000: NT_STATUS_NO_SUCH_USER
> 
> In general wbinfo -u and -g working.
> id too:
> [root at fs01 samba]# id "XXX\lszczepa"
> uid=25360(XXX\lszczepa) gid=1315200513(XXX\domain users)
> groups=1315200513(XXX\domain users),25360(XXX\lszczepa)
> 
> [root at fs01 samba]# net conf list
> [global]
>          logging = syslog
>          log level = 1
>          clustering = yes
>          security = ads
>          realm = XXX.YYY.ZZZ
>          map acl inherit = yes
>          workgroup = XXX
>          kerberos method = secrets and keytab
>          idmap config * : range = 1000-7999
>          idmap config * : backend = tdb
>          ctdb:registry.tdb = yes
>          netbios name = FS
>          idmap config XXX: range = 100000-1999999999
>          idmap config XXX: backend = rid
> 
> 
> [symptoms]
>          read only = no
>          inherit acls = yes
>          guest ok = no
>          browseable = yes
>          path = /mnt/glusterfs/symptoms/
> 
> [root at fs01 samba]# smbclient ////localhost//symptoms -U lszczepa
> Password for [XXX\lszczepa]:
> do_connect: Connection to  failed (Error NT_STATUS_NOT_FOUND)
> 
> Because of this, I cannot login to the samba share using AD credentials :(
> 
> What is this S-1-5-21-76667877-53546716-1882380502-1000 ??
> Actually, my user on this machine has uid=1000 and gid=1000
> But I think it has nothing to do with that.
It could have a lot to do with that.

S-1-5-21-76667877-53546716-1882380502-1000 is the users SID, which is 
composed of the domain SID: S-1-5-21-76667877-53546716-1882380502
And the users RID: 1000 (provided this is your users SID).

Why have you started the default range '*' at '1000' in your
smb.conf ?

How, if the 'XXX' range starts at '100000' and you are using the
'rid'
idmap backend, does your user get the ID '1000' ?

I would have expected (provided that your user has the RID '1000') it to
be '101000'.

Or do you have a local Unix user with the ID '1000' ?

Another option is that 'XXX' isn't your NetBIOS domain name (aka
workgroup)

Rowland