samba - Apr 2023 - Big problems with samba 4.17.7 with classic domain (NT4) and LDAP

Hi...

We are still using NT4 classic domain with a couple of samba server but 
want to upgrade step by step to AD as a distant goal.
We tried to upgrade to samba 4.17.7 as in intermediate step and keep LDAP 
for now but fail as we could not find a suitable 
example for id mapping. Hope someone can help!

Previously we did run samba 4.7 on CentOS 7 without problems as domain 
controller and member servers.
Now we want to switch to Oracle Linux 9. But here samba 4.7 does no longer 
compile so we need to use a
newer version. So we decided to use 4.17.7. With 4.7 we did not need to 
use winbind - now we have to.

We have a domain controller which connects to an ldap server for accounts 
and everything containing
all users, groups, hosts, dns,dhcp infos.

Domain Controller smb conf:

[global]
        server role = classic primary domain controller
        unix charset = UTF-8
        workgroup = MYDOM
        server string = MYDOM domaincontroller
        passdb backend = ldapsam:"ldap://localhost"
        log file = /usr/local/samba/var/log.%m
        name resolve order = host bcast
        logon path = \\%N\profiles\%U
        logon home         domain logons = Yes
        os level = 66
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        ldap admin dn = cn=Directory Manager
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap,ou=samba
        ldap machine suffix = ou=computers,ou=samba
        ldap passwd sync = yes
        ldap suffix = dc=onevision,dc=com
        ldap user suffix = ou=people
        hide dot files = No
        csc policy = disable
        strict locking = No
        idmap config * : backend = tdb
        idmap config * : range = 101-999
        idmap config * : backend = tdb
        idmap config * : range = 101-999
        idmap config MYDOM : backend = rid
        idmap config MYDOM : range = 1000-999999
        winbind use default domain = true
        winbind offline logon = false
        idmap backend = ldap:"ldap://localhost"
        idmap uid = 1000-10000
        idmap gid = 1000-10000
        allow nt4 crypto = Yes
        max protocol = NT1
        client min protocol = NT1
        server min protocol = NT1

This seems to work I can login here with my ldap account and see and use 
shares from the PDC.
We limit the protocol to NT1 as we did always. Maybe this is no longer 
needed? We have
to investigate this later. So far so good.

But the problems arise on member servers. Config of one of it:
[global]
        server role = member server
        unix charset = UTF-8
        workgroup = MYDOM
        server string = Fileserver
        security = domain
        map to guest = Never
        name resolve order = host bcast
        client min protocol=NT1
        server min protocol=NT1
        unix extensions = No
        hide dot files = No
        csc policy = disable
        strict locking = No
        wide links = Yes
        acl allow execute always = True
        idmap config * : backend = tdb
        idmap config * : range = 101-999
        idmap config ONEVISION : backend = rid
        idmap config ONEVISION : range = 1000-999999
        winbind use default domain = true
        winbind offline logon = false

I cannot open the member server from my windows machine with my 
useraccount (which works for the domain controller).
On the member server I see these errors:

Apr 18 17:46:12 host winbindd[143640]:   saf_store: refusing to store 0 
length domain or servername!

I don't know whether this is a problem but wanted to show it

Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040,  0] 
../../source3/auth/auth_util.c:1933(check_account)
Apr 18 17:46:31 host smbd[143656]:   check_account: Failed to find local 
account with UID 2000 for SID S-1-5-21-X-Y-Z-1000 (dom_user[MYDOM\roland])

This is for sure a problem. Why does samba wants to map to uid 2000?

For us we need a simple straight mapping:
SID S-1-5-21-X-Y-Z-1000 == Unix  ID 1000
SID S-1-5-21-X-Y-Z-5555 == Unix  ID 5555

For us the last part of the SID is the userid of the user on linux. The 
linux system also knows about the users as it is connected the ldap 
natively.
I believe I just need to convince samba to use the last part of the SID as 
linux id - as it did in the past. How can this be done?

Hope someone can urgently help!

Thank you very much

Roland

On 18/04/2023 13:29, Roland Schwingel via samba wrote:
> Hi...
> 
> We are still using NT4 classic domain with a couple of samba server but
> want to upgrade step by step to AD as a distant goal.
I would bring that goal a lot nearer, Samba is working hard on removing 
SMBv1 and I wouldn't be surprised if Microsoft didn't totally remove it 
shortly after Samba does, you never know, they may do it before.
> We tried to upgrade to samba 4.17.7 as in intermediate step and keep LDAP
> for now but fail as we could not find a suitable
> example for id mapping. Hope someone can help!
> 
> Previously we did run samba 4.7 on CentOS 7 without problems as domain
> controller and member servers.
> Now we want to switch to Oracle Linux 9. But here samba 4.7 does no longer
> compile so we need to use a
> newer version. So we decided to use 4.17.7. With 4.7 we did not need to
> use winbind - now we have to.
It has been like that since 4.8.0
> 
> We have a domain controller which connects to an ldap server for accounts
> and everything containing
> all users, groups, hosts, dns,dhcp infos.
I take it you are referring to the PDC.
> 
> Domain Controller smb conf:
> 
> [global]
>          server role = classic primary domain controller
>          unix charset = UTF-8
>          workgroup = MYDOM
>          server string = MYDOM domaincontroller
>          passdb backend = ldapsam:"ldap://localhost"
>          log file = /usr/local/samba/var/log.%m
>          name resolve order = host bcast
>          logon path = \\%N\profiles\%U
>          logon home >          domain logons = Yes
>          os level = 66
>          preferred master = Yes
>          domain master = Yes
>          dns proxy = No
>          ldap admin dn = cn=Directory Manager
>          ldap group suffix = ou=groups
>          ldap idmap suffix = ou=idmap,ou=samba
>          ldap machine suffix = ou=computers,ou=samba
>          ldap passwd sync = yes
>          ldap suffix = dc=onevision,dc=com
>          ldap user suffix = ou=people
>          hide dot files = No
>          csc policy = disable
>          strict locking = No
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config MYDOM : backend = rid
>          idmap config MYDOM : range = 1000-999999
>          winbind use default domain = true
>          winbind offline logon = false
>          idmap backend = ldap:"ldap://localhost"
>          idmap uid = 1000-10000
>          idmap gid = 1000-10000

There at least three methods of doing basic id mapping, very old, old 
and current, you have all three there ;-)

'idmap backend' is the very old one, 'idmap uid/gid' is the old
one and
'idmap config' is the current one.

It has been a long time since I set up a PDC, but like an AD DC, you 
really should only use it for authentication.

With the way that you have setup the smb.conf above, just about 
everything is overwriting everything else.
The default domain '*' is set to use the '101-999' range, but is
then
clobbered by the 'idmap uid/gid' range '1000-10000', which is
inside the
'MYDOM' range '1000-999999'. You also (unless it is a
cut&paste error)
have the default domain lines twice.

If you do not need users to login to the PDC, you could try removing all 
the idmapping lines.
>          allow nt4 crypto = Yes
>          max protocol = NT1
>          client min protocol = NT1
>          server min protocol = NT1
> 
> This seems to work I can login here with my ldap account and see and use
> shares from the PDC.
> We limit the protocol to NT1 as we did always. Maybe this is no longer
> needed? We have
> to investigate this later. So far so good.
Whilst you are running a PDC, you are stuck with using the very insecure 
SMBv1.
> 
> But the problems arise on member servers. Config of one of it:
> [global]
>          server role = member server
>          unix charset = UTF-8
>          workgroup = MYDOM
>          server string = Fileserver
>          security = domain
>          map to guest = Never
>          name resolve order = host bcast
>          client min protocol=NT1
>          server min protocol=NT1
>          unix extensions = No
>          hide dot files = No
>          csc policy = disable
>          strict locking = No
>          wide links = Yes
>          acl allow execute always = True
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config ONEVISION : backend = rid
>          idmap config ONEVISION : range = 1000-999999
>          winbind use default domain = true
>          winbind offline logon = false
I really hope that 'MYDOM' is actually 'ONEVISION', because it
isn't
going to work unless they are the same.
> 
> I cannot open the member server from my windows machine with my
> useraccount (which works for the domain controller).
> On the member server I see these errors:
> 
> Apr 18 17:46:12 host winbindd[143640]:   saf_store: refusing to store 0
> length domain or servername!
> 
> I don't know whether this is a problem but wanted to show it
> 
> Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040,  0]
> ../../source3/auth/auth_util.c:1933(check_account)
> Apr 18 17:46:31 host smbd[143656]:   check_account: Failed to find local
> account with UID 2000 for SID S-1-5-21-X-Y-Z-1000 (dom_user[MYDOM\roland])
> 
> This is for sure a problem. Why does samba wants to map to uid 2000?
> 
> For us we need a simple straight mapping:
> SID S-1-5-21-X-Y-Z-1000 == Unix  ID 1000
> SID S-1-5-21-X-Y-Z-5555 == Unix  ID 5555
You do know how the 'rid' idmap backend works, don't you ?
Just in case you have misunderstood it, this is is how it works.
The user (or group) RID is used to calculate the users ID like this:

ID = low range + RID

So this means that, your ID for RID '1000' will be:

ID = 1000 + 1000

Or

ID = 2000

Oh look, that is the UID in your error

You do not use local Unix users any more.
> 
> For us the last part of the SID is the userid of the user on linux. The
> linux system also knows about the users as it is connected the ldap
> natively.
No, in my opinion, you shouldn't be connecting to ldap and a PDC at the 
same time.
> I believe I just need to convince samba to use the last part of the SID as
> linux id - as it did in the past. How can this be done?
Use rfc2307 attributes and the 'ad' idmap backend, a lot more work for 
little gain.

AD is the way forward.

Rowland

Am 18. April 2023 14:29:29 MESZ schrieb Roland Schwingel via samba <samba at
lists.samba.org>:
>Hi...
>
>We are still using NT4 classic domain with a couple of samba server but 
>want to upgrade step by step to AD as a distant goal.
>We tried to upgrade to samba 4.17.7 as in intermediate step and keep LDAP 
>for now but fail as we could not find a suitable 
>example for id mapping. Hope someone can help!
>
>Previously we did run samba 4.7 on CentOS 7 without problems as domain 
>controller and member servers.
>Now we want to switch to Oracle Linux 9. But here samba 4.7 does no longer 
>compile so we need to use a
>newer version. So we decided to use 4.17.7. With 4.7 we did not need to 
>use winbind - now we have to.
>
>We have a domain controller which connects to an ldap server for accounts 
>and everything containing
>all users, groups, hosts, dns,dhcp infos.
>
>Domain Controller smb conf:
>
>[global]
>        server role = classic primary domain controller
>        unix charset = UTF-8
>        workgroup = MYDOM
>        server string = MYDOM domaincontroller
>        passdb backend = ldapsam:"ldap://localhost"
>        log file = /usr/local/samba/var/log.%m
>        name resolve order = host bcast
>        logon path = \\%N\profiles\%U
>        logon home >        domain logons = Yes
>        os level = 66
>        preferred master = Yes
>        domain master = Yes
>        dns proxy = No
>        ldap admin dn = cn=Directory Manager
>        ldap group suffix = ou=groups
>        ldap idmap suffix = ou=idmap,ou=samba
>        ldap machine suffix = ou=computers,ou=samba
>        ldap passwd sync = yes
>        ldap suffix = dc=onevision,dc=com
>        ldap user suffix = ou=people
>        hide dot files = No
>        csc policy = disable
>        strict locking = No
>        idmap config * : backend = tdb
>        idmap config * : range = 101-999
>        idmap config * : backend = tdb
>        idmap config * : range = 101-999
>        idmap config MYDOM : backend = rid
>        idmap config MYDOM : range = 1000-999999
>        winbind use default domain = true
>        winbind offline logon = false
>        idmap backend = ldap:"ldap://localhost"
>        idmap uid = 1000-10000
>        idmap gid = 1000-10000
>        allow nt4 crypto = Yes
>        max protocol = NT1
>        client min protocol = NT1
>        server min protocol = NT1
>
>This seems to work I can login here with my ldap account and see and use 
>shares from the PDC.
>We limit the protocol to NT1 as we did always. Maybe this is no longer 
>needed? We have
>to investigate this later. So far so good.
>
>But the problems arise on member servers. Config of one of it:
>[global]
>        server role = member server
>        unix charset = UTF-8
>        workgroup = MYDOM
>        server string = Fileserver
>        security = domain
>        map to guest = Never
>        name resolve order = host bcast
>        client min protocol=NT1
>        server min protocol=NT1
>        unix extensions = No
>        hide dot files = No
>        csc policy = disable
>        strict locking = No
>        wide links = Yes
>        acl allow execute always = True
>        idmap config * : backend = tdb
>        idmap config * : range = 101-999
>        idmap config ONEVISION : backend = rid
>        idmap config ONEVISION : range = 1000-999999
>        winbind use default domain = true
>        winbind offline logon = false
>
>I cannot open the member server from my windows machine with my 
>useraccount (which works for the domain controller).
>On the member server I see these errors:
>
>Apr 18 17:46:12 host winbindd[143640]:   saf_store: refusing to store 0 
>length domain or servername!
>
>I don't know whether this is a problem but wanted to show it
>
>Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040,  0] 
>../../source3/auth/auth_util.c:1933(check_account)
>Apr 18 17:46:31 host smbd[143656]:   check_account: Failed to find local 
>account with UID 2000 for SID S-1-5-21-X-Y-Z-1000 (dom_user[MYDOM\roland])
>
>This is for sure a problem. Why does samba wants to map to uid 2000?
Because you configured it that way:

idmap config ONEVISION : range = 1000-999999

As Rowland explained how the rid backend works you should have:

idmap config ONEVISION : range = 0-999999

Most of the things Rowland wrote about your other settings also applies.

But if this works we can work from there.




Regards

Christian

Hi Roland,

I would not touch the old NT-Style stuff at all. Leave it as it is and 
mirgrste to Samba-AD you can do it on the fly, so you don't have any 
downtime during mirgration. It takes a bit of time and thinking ;-) but 
it works. I did thids several times.

Doing the step to first update to a new Samba-Version and NT-Style 
domain is mostly much more work then migrating to AD.


Am 18.04.23 um 14:29 schrieb Roland Schwingel via samba:
> Hi...
> 
> We are still using NT4 classic domain with a couple of samba server but
> want to upgrade step by step to AD as a distant goal.
> We tried to upgrade to samba 4.17.7 as in intermediate step and keep LDAP
> for now but fail as we could not find a suitable
> example for id mapping. Hope someone can help!
> 
> Previously we did run samba 4.7 on CentOS 7 without problems as domain
> controller and member servers.
> Now we want to switch to Oracle Linux 9. But here samba 4.7 does no longer
> compile so we need to use a
> newer version. So we decided to use 4.17.7. With 4.7 we did not need to
> use winbind - now we have to.
> 
> We have a domain controller which connects to an ldap server for accounts
> and everything containing
> all users, groups, hosts, dns,dhcp infos.
> 
> Domain Controller smb conf:
> 
> [global]
>          server role = classic primary domain controller
>          unix charset = UTF-8
>          workgroup = MYDOM
>          server string = MYDOM domaincontroller
>          passdb backend = ldapsam:"ldap://localhost"
>          log file = /usr/local/samba/var/log.%m
>          name resolve order = host bcast
>          logon path = \\%N\profiles\%U
>          logon home >          domain logons = Yes
>          os level = 66
>          preferred master = Yes
>          domain master = Yes
>          dns proxy = No
>          ldap admin dn = cn=Directory Manager
>          ldap group suffix = ou=groups
>          ldap idmap suffix = ou=idmap,ou=samba
>          ldap machine suffix = ou=computers,ou=samba
>          ldap passwd sync = yes
>          ldap suffix = dc=onevision,dc=com
>          ldap user suffix = ou=people
>          hide dot files = No
>          csc policy = disable
>          strict locking = No
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config MYDOM : backend = rid
>          idmap config MYDOM : range = 1000-999999
>          winbind use default domain = true
>          winbind offline logon = false
>          idmap backend = ldap:"ldap://localhost"
>          idmap uid = 1000-10000
>          idmap gid = 1000-10000
>          allow nt4 crypto = Yes
>          max protocol = NT1
>          client min protocol = NT1
>          server min protocol = NT1
> 
> This seems to work I can login here with my ldap account and see and use
> shares from the PDC.
> We limit the protocol to NT1 as we did always. Maybe this is no longer
> needed? We have
> to investigate this later. So far so good.
> 
> But the problems arise on member servers. Config of one of it:
> [global]
>          server role = member server
>          unix charset = UTF-8
>          workgroup = MYDOM
>          server string = Fileserver
>          security = domain
>          map to guest = Never
>          name resolve order = host bcast
>          client min protocol=NT1
>          server min protocol=NT1
>          unix extensions = No
>          hide dot files = No
>          csc policy = disable
>          strict locking = No
>          wide links = Yes
>          acl allow execute always = True
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config ONEVISION : backend = rid
>          idmap config ONEVISION : range = 1000-999999
>          winbind use default domain = true
>          winbind offline logon = false
> 
> I cannot open the member server from my windows machine with my
> useraccount (which works for the domain controller).
> On the member server I see these errors:
> 
> Apr 18 17:46:12 host winbindd[143640]:   saf_store: refusing to store 0
> length domain or servername!
> 
> I don't know whether this is a problem but wanted to show it
> 
> Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040,  0]
> ../../source3/auth/auth_util.c:1933(check_account)
> Apr 18 17:46:31 host smbd[143656]:   check_account: Failed to find local
> account with UID 2000 for SID S-1-5-21-X-Y-Z-1000 (dom_user[MYDOM\roland])
> 
> This is for sure a problem. Why does samba wants to map to uid 2000?
> 
> For us we need a simple straight mapping:
> SID S-1-5-21-X-Y-Z-1000 == Unix  ID 1000
> SID S-1-5-21-X-Y-Z-5555 == Unix  ID 5555
> 
> For us the last part of the SID is the userid of the user on linux. The
> linux system also knows about the users as it is connected the ldap
> natively.
> I believe I just need to convince samba to use the last part of the SID as
> linux id - as it did in the past. How can this be done?
> 
> Hope someone can urgently help!
> 
> Thank you very much
> 
> Roland
>