samba - Apr 2025 - Fwd: Domain member fails to map SID>*ID after DC migrated from Server 2022 to 2025

On Wed, 23 Apr 2025 13:00:46 -0500
"Dustin L. Howett via samba" <samba at lists.samba.org> wrote:
> On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba
> wrote:
> > On Tue, 22 Apr 2025 21:09:26 -0500
> > Dustin Howett via samba <samba at lists.samba.org> wrote:
> > 
> > > - On Server 2025, it returns a failure instead:
> > > NT_STATUS_NO_SUCH_DOMAIN
> > > 
> > 
> > It seems that your DC cannot be found, so for a start, can you post
> > the /etc/resolv.conf, /etc/krb5.conf and smb.conf from the client.
> > 
> 
> Thanks Rowland (and sorry for the stray Fwd in the subject.)
> 
> Just to note before I get into my config files: wbinfo (et al) report
> that the DC is reachable in both cases. Other domain operations such
> as user enumeration also work.
> 
> On both members (2022 lab and 2025 lab):
> 
> (Note that due to the identical lab setup, the DC hostname is the
> same. **These machines are in isolated networks and cannot see
> eachother**.)
> 
> -- 8< snip --
> 
> root at dom-test-member:~# wbinfo --ping-dc
> checking the NETLOGON for domain[DOMTEST] dc connection to
> "WIN-NAFS39H19IE.domtest.howett.net" succeeded
> root at dom-test-member:~# wbinfo -u DOMTEST\administrator
> DOMTEST\guest
> DOMTEST\krbtgt
> DOMTEST\dustin
> root at dom-test-member:~# 
> 
> ---
> 
> root at dom2-test-member:~# wbinfo --ping-dc
> checking the NETLOGON for domain[DOMTEST] dc connection to
> "WIN-NAFS39H19IE.domtest.howett.net" succeeded
> root at dom2-test-member:~# wbinfo -u DOMTEST\administrator
> DOMTEST\guest
> DOMTEST\krbtgt
> DOMTEST\dustin
> root at dom2-test-member:~# 
> 
> -- 8< snip --
> 
> Here are the config files you've asked for.
> krb5.conf and smb.conf are almost identical (I will call out the
> change between the two with a diff below.). resolv.conf only differs
> because of the lab subnet.
> 
> --- resolv.conf (member of working 2022 domain) ---
> domain domtest.howett.net.
> nameserver 192.168.1.2
> 
> --- resolv.conf (member of failing 2025 domain) ---
> domain domtest.howett.net.
> nameserver 192.168.2.2
> 
> --- krb5.conf (both, identical) ---
> [libdefaults]
>         default_realm = DOMTEST.HOWETT.NET
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>         rdns = false
>         fcc-mit-ticketflags = true
> 
Try this one instead:

[libdefaults]
	default_realm = DOMTEST.HOWETT.NET
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
	DOMTEST.HOWETT.NET = {
		default_domain = domtest.howett.net
	}

[domain_realm]
	YOUR_COMPUTERS_SHORT_HOSTNAME_IN_UPPERCASE = DOMTEST.HOWETT.NET

Making the obvious change.
> --- smb.conf ---
> 
> [global]
> 	log file = /var/log/samba/log.%m
> 	logging = file
> 	log level = 10
> 	map to guest = Bad User
Why do you have that set ? You do not seem to have 'guest ok' or
'public' in any shares.
> 	max log size = 1000
> 	obey pam restrictions = Yes
> 	pam password change = Yes
> 	panic action = /usr/share/samba/panic-action %d
> 	realm = DOMTEST.HOWETT.NET
> 	server role = member server
> 	unix password sync = Yes
Why 'unix password sync' ? you shouldn't have any users both in
/etc/passwd and AD.
> 	usershare allow guests = Yes
> 	workgroup = DOMTEST
> 	idmap config * : backend = tdb
> 	idmap config * : range = 1000-9999
> 	idmap config domtest:backend = ad
> 	idmap config domtest:schema_mode = rfc2307
> 	idmap config domtest:range = 500-599
> 	idmap config domtest:unix_nss_info = yes
Why such low numbers ? was this domain classic upgraded from an
NT4-style domain ?

Rowland

On Thu, Apr 24, 2025 at 2:25?AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> Try this one instead:
>
> <snipped>
>
> Making the obvious change.
Thanks. I gave that a shot, but it still results in the same set of errors.
>
> >       map to guest = Bad User
>
> Why do you have that set ? You do not seem to have 'guest ok' or
> 'public' in any shares.
>
> Why 'unix password sync' ? you shouldn't have any users both in
> /etc/passwd and AD.
Only hasty construction of the test lab. These were present in the
default configuration file, and I did not want to remove things that
*could* be important.
It turns out they are not important.
> >       idmap config domtest:range = 500-599
>
> Why such low numbers ? was this domain classic upgraded from an
> NT4-style domain ?
Much worse. UIDs were chosen about a decade ago for coherence with *OS
X* systems which predated the AD domain.
If only I had it to do over, I would!

Stitching responses from your other mail (just to keep the thread from
diverging, and let that fork die)
> There is no such thing as a PDC in AD [...]
Ah, my own naivete then. Thank you.

With an N=3, I can reliably reproduce this on upgrading the domain
controller from Server 2022 to *the latest version of* Server 2025 -
with any of my home domain or lab configurations.

Doing a little bit of bisecting... it looks like specifically
KB5051987, the 2025.02B update, causes this failure.

It appears there is a new access control check for DsrGetDcName in
netlogon (which is visible with debug logging enabled) which fails for
Samba clients.

+ [CRITICAL] Rejecting an RPC call due to error from AccessCheck:
0x6e4 OpNum:20 Method:DsrGetDcName

That substring  ("Rejecting an RPC call ...") does not appear in
netlogon at all prior to KB5051987. Now, I don't yet know why the 2B
update to Server 2022 doesn't have the same behavior...

--

I work at Microsoft on Windows, but not on the AD product, and I am
here solely as a home user with a bug report. That being said: if it
would help for me to bend the ear of somebody over in AD/DS to figure
out if this is a Windows issue or a Samba one, I would be happy to.

d




d