Rowland, I commented out what you asked me to, no change.
# Global parameters
[global]
workgroup = TRUEVINE
realm = TRUEVINE.LAN
netbios name = DC01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbi$
# idmap_ldb:use rfc2307 = yes
# idmap config *:backend = tdb
# idmap config *:range = 2001-10000
# idmap config TRUEVINE:backend = ad
# idmap config TRUEVINE:schema_mode = rfc2307
# idmap config TRUEVINE:range = 10001-20000
# domain master = yes
# local master = yes
# preferred master = yes
# os level = 255
[netlogon]
path = /var/lib/samba/sysvol/truevine.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Results:
root at dc01:~# nano -w /etc/samba/smb.conf
root at dc01:~# service samba4 stop
[ ok ] Stopping Samba AD DC daemon: samba.
root at dc01:~# service samba4 start
[ ok ] Starting Samba AD DC daemon: samba.
root at dc01:~# smbclient -L \\localhost -U administrator
Enter administrator's password:
session setup failed: NT_STATUS_INVALID_SID
root at dc01:~#
Lead IT/IS Specialist
Reach Technology FP, Inc
On 01/13/2017 01:07 PM, Rowland Penny via samba wrote:> On Fri, 13 Jan 2017 12:46:27 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
>
>> OK, I noticed that also, but why does everything return
>> NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U
>> adminnamehere" on the DC itself, I get the error. At this point we
are
>> looking at erasing every workstation, wiping the DC, and starting from
>> scratch. It has been a week and not even rolling back to 4.4 fixed it.
>> What should my next steps be? I attached the server configuration file
>> for reference. Note that it has run this way for a year without a
>> hitch and nothing has been changed since day 1.
>>
>> # Global parameters
>> [global]
>> workgroup = TRUEVINE
>> realm = TRUEVINE.LAN
>> netbios name = DC01
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> idmap config *:backend = tdb
>> idmap config *:range = 2001-10000
>> idmap config TRUEVINE:backend = ad
>> idmap config TRUEVINE:schema_mode = rfc2307
>> idmap config TRUEVINE:range = 10001-20000
>> domain master = yes
>> local master = yes
>> preferred master = yes
>> os level = 255
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/truevine.lan/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>
> Now I have seen your smb.conf, I think I can tell you why you are
> getting 'NT_STATUS_INVALID_SID'
>
> You have 'idmap config' lines, these do nothing on a DC, or rather
they
> did nothing until 4.5.0, now they cause errors, so I would remove them.
> I would also remove the 'master' lines and the 'os' line.
>
> When 4.6.0 comes out, it is my understanding that you will not have this
> problem, Samba will flat out refuse to start if you have the idmap
> lines in smb.conf ;-)
>
> Rowland
>
>
On Sat, 14 Jan 2017 11:17:57 -0500 Ryan Ashley via samba <samba at lists.samba.org> wrote:> Rowland, I commented out what you asked me to, no change. > > # Global parameters > [global] > workgroup = TRUEVINE > realm = TRUEVINE.LAN > netbios name = DC01 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbi$ > # idmap_ldb:use rfc2307 = yes > # idmap config *:backend = tdb > # idmap config *:range = 2001-10000 > # idmap config TRUEVINE:backend = ad > # idmap config TRUEVINE:schema_mode = rfc2307 > # idmap config TRUEVINE:range = 10001-20000 > # domain master = yes > # local master = yes > # preferred master = yes > # os level = 255 > > [netlogon] > path = /var/lib/samba/sysvol/truevine.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > Results: > root at dc01:~# nano -w /etc/samba/smb.conf > root at dc01:~# service samba4 stop > [ ok ] Stopping Samba AD DC daemon: samba. > root at dc01:~# service samba4 start > [ ok ] Starting Samba AD DC daemon: samba. > root at dc01:~# smbclient -L \\localhost -U administrator > Enter administrator's password: > session setup failed: NT_STATUS_INVALID_SID > root at dc01:~# > > Lead IT/IS Specialist > Reach Technology FP, Inc > > On 01/13/2017 01:07 PM, Rowland Penny via samba wrote: > > On Fri, 13 Jan 2017 12:46:27 -0500 > > Ryan Ashley via samba <samba at lists.samba.org> wrote: > > > >> OK, I noticed that also, but why does everything return > >> NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U > >> adminnamehere" on the DC itself, I get the error. At this point we > >> are looking at erasing every workstation, wiping the DC, and > >> starting from scratch. It has been a week and not even rolling > >> back to 4.4 fixed it. What should my next steps be? I attached the > >> server configuration file for reference. Note that it has run this > >> way for a year without a hitch and nothing has been changed since > >> day 1. > >> > >> # Global parameters > >> [global] > >> workgroup = TRUEVINE > >> realm = TRUEVINE.LAN > >> netbios name = DC01 > >> server role = active directory domain controller > >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > >> drepl, winbindd, ntp_signd, kcc, dnsupdate > >> idmap_ldb:use rfc2307 = yes > >> idmap config *:backend = tdb > >> idmap config *:range = 2001-10000 > >> idmap config TRUEVINE:backend = ad > >> idmap config TRUEVINE:schema_mode = rfc2307 > >> idmap config TRUEVINE:range = 10001-20000 > >> domain master = yes > >> local master = yes > >> preferred master = yes > >> os level = 255 > >> > >> [netlogon] > >> path = /var/lib/samba/sysvol/truevine.lan/scripts > >> read only = No > >> > >> [sysvol] > >> path = /var/lib/samba/sysvol > >> read only = No > >> > > > > Now I have seen your smb.conf, I think I can tell you why you are > > getting 'NT_STATUS_INVALID_SID' > > > > You have 'idmap config' lines, these do nothing on a DC, or rather > > they did nothing until 4.5.0, now they cause errors, so I would > > remove them. I would also remove the 'master' lines and the 'os' > > line. > > > > When 4.6.0 comes out, it is my understanding that you will not have > > this problem, Samba will flat out refuse to start if you have the > > idmap lines in smb.conf ;-) > > > > Rowland > > > > >Put 'idmap_ldb:use rfc2307 = yes' back, you need it, the idmap lines I was referring to, start with 'idmap config' Run 'net cache flush' Ensure the libnss_winbind links exist, the 'passwd' & 'group' lines in /etc/nsswitch.conf contain 'winbind' and PAM is set up correctly. It may also help if you restart the DC Rowland
Rowland, that opened up a whole new can of worms. I did exactly as instructed, but when I did the "net cache flush" I got spammed with stuff like the following, and I mean SPAMMED. Thousands of lines, way beyond my scrollback buffer. tdb(/var/lock/samba/gencache_notrans.tdb): tdb_expand overflow detected current map_size[4294967295] size[96]! tdb(/var/lock/samba/gencache_notrans.tdb): tdb_expand overflow detected current map_size[4294967295] size[96]! tdb(/var/lock/samba/gencache_notrans.tdb): tdb_expand overflow detected current map_size[4294967295] size[96]! tdb(/var/lock/samba/gencache_notrans.tdb): tdb_expand overflow detected current map_size[4294967295] size[96]! Looks like a database has grown too large or something. Not sure as I have no experience with TDB, only MySQL and MSSQL. Lead IT/IS Specialist Reach Technology FP, Inc On 01/14/2017 11:40 AM, Rowland Penny via samba wrote:> On Sat, 14 Jan 2017 11:17:57 -0500 > Ryan Ashley via samba <samba at lists.samba.org> wrote: > >> Rowland, I commented out what you asked me to, no change. >> >> # Global parameters >> [global] >> workgroup = TRUEVINE >> realm = TRUEVINE.LAN >> netbios name = DC01 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbi$ >> # idmap_ldb:use rfc2307 = yes >> # idmap config *:backend = tdb >> # idmap config *:range = 2001-10000 >> # idmap config TRUEVINE:backend = ad >> # idmap config TRUEVINE:schema_mode = rfc2307 >> # idmap config TRUEVINE:range = 10001-20000 >> # domain master = yes >> # local master = yes >> # preferred master = yes >> # os level = 255 >> >> [netlogon] >> path = /var/lib/samba/sysvol/truevine.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> Results: >> root at dc01:~# nano -w /etc/samba/smb.conf >> root at dc01:~# service samba4 stop >> [ ok ] Stopping Samba AD DC daemon: samba. >> root at dc01:~# service samba4 start >> [ ok ] Starting Samba AD DC daemon: samba. >> root at dc01:~# smbclient -L \\localhost -U administrator >> Enter administrator's password: >> session setup failed: NT_STATUS_INVALID_SID >> root at dc01:~# >> >> Lead IT/IS Specialist >> Reach Technology FP, Inc >> >> On 01/13/2017 01:07 PM, Rowland Penny via samba wrote: >>> On Fri, 13 Jan 2017 12:46:27 -0500 >>> Ryan Ashley via samba <samba at lists.samba.org> wrote: >>> >>>> OK, I noticed that also, but why does everything return >>>> NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U >>>> adminnamehere" on the DC itself, I get the error. At this point we >>>> are looking at erasing every workstation, wiping the DC, and >>>> starting from scratch. It has been a week and not even rolling >>>> back to 4.4 fixed it. What should my next steps be? I attached the >>>> server configuration file for reference. Note that it has run this >>>> way for a year without a hitch and nothing has been changed since >>>> day 1. >>>> >>>> # Global parameters >>>> [global] >>>> workgroup = TRUEVINE >>>> realm = TRUEVINE.LAN >>>> netbios name = DC01 >>>> server role = active directory domain controller >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>> idmap_ldb:use rfc2307 = yes >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2001-10000 >>>> idmap config TRUEVINE:backend = ad >>>> idmap config TRUEVINE:schema_mode = rfc2307 >>>> idmap config TRUEVINE:range = 10001-20000 >>>> domain master = yes >>>> local master = yes >>>> preferred master = yes >>>> os level = 255 >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/truevine.lan/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> >>> >>> Now I have seen your smb.conf, I think I can tell you why you are >>> getting 'NT_STATUS_INVALID_SID' >>> >>> You have 'idmap config' lines, these do nothing on a DC, or rather >>> they did nothing until 4.5.0, now they cause errors, so I would >>> remove them. I would also remove the 'master' lines and the 'os' >>> line. >>> >>> When 4.6.0 comes out, it is my understanding that you will not have >>> this problem, Samba will flat out refuse to start if you have the >>> idmap lines in smb.conf ;-) >>> >>> Rowland >>> >>> >> > > Put 'idmap_ldb:use rfc2307 = yes' back, you need it, the idmap lines I > was referring to, start with 'idmap config' > > Run 'net cache flush' > Ensure the libnss_winbind links exist, the 'passwd' & 'group' lines > in /etc/nsswitch.conf contain 'winbind' and PAM is set up correctly. > It may also help if you restart the DC > > Rowland > >
Rowland, I was just reading over another thread on this list about the inability to access group policy from client machines. The user did not have the symlinks setup (I do) but one thing you mentioned was using the NIS attributes to set UID/GID numbers for the domain. You said we should not do this for certain users and groups, but there is no mention of this in the guides to setting up an AD DC, so I have always done it. We do this to make our Linux-based NAS devices work. Furthermore, you recommended the user use the idmap lines to ensure consistent UID/GID numbers across devices, yet you suggested I turn the exact same lines off in my config. Why is this? I understand our situations are different, but when should we set winbind to use the AD backend and set UID/GID numbers? How do do this so Linux-base file services can be accessed by users and come out the same? To be specific, these are the commented lines in my config file. They look like what you recommended to the user Richard to ensure consistent UID and GID numbers. # idmap config *:backend = tdb # idmap config *:range = 2001-10000 # idmap config TRUEVINE:backend = ad # idmap config TRUEVINE:schema_mode = rfc2307 # idmap config TRUEVINE:range = 10001-20000 Lead IT/IS Specialist Reach Technology FP, Inc On 01/14/2017 11:40 AM, Rowland Penny via samba wrote:> On Sat, 14 Jan 2017 11:17:57 -0500 > Ryan Ashley via samba <samba at lists.samba.org> wrote: > >> Rowland, I commented out what you asked me to, no change. >> >> # Global parameters >> [global] >> workgroup = TRUEVINE >> realm = TRUEVINE.LAN >> netbios name = DC01 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbi$ >> # idmap_ldb:use rfc2307 = yes >> # idmap config *:backend = tdb >> # idmap config *:range = 2001-10000 >> # idmap config TRUEVINE:backend = ad >> # idmap config TRUEVINE:schema_mode = rfc2307 >> # idmap config TRUEVINE:range = 10001-20000 >> # domain master = yes >> # local master = yes >> # preferred master = yes >> # os level = 255 >> >> [netlogon] >> path = /var/lib/samba/sysvol/truevine.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> Results: >> root at dc01:~# nano -w /etc/samba/smb.conf >> root at dc01:~# service samba4 stop >> [ ok ] Stopping Samba AD DC daemon: samba. >> root at dc01:~# service samba4 start >> [ ok ] Starting Samba AD DC daemon: samba. >> root at dc01:~# smbclient -L \\localhost -U administrator >> Enter administrator's password: >> session setup failed: NT_STATUS_INVALID_SID >> root at dc01:~# >> >> Lead IT/IS Specialist >> Reach Technology FP, Inc >> >> On 01/13/2017 01:07 PM, Rowland Penny via samba wrote: >>> On Fri, 13 Jan 2017 12:46:27 -0500 >>> Ryan Ashley via samba <samba at lists.samba.org> wrote: >>> >>>> OK, I noticed that also, but why does everything return >>>> NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U >>>> adminnamehere" on the DC itself, I get the error. At this point we >>>> are looking at erasing every workstation, wiping the DC, and >>>> starting from scratch. It has been a week and not even rolling >>>> back to 4.4 fixed it. What should my next steps be? I attached the >>>> server configuration file for reference. Note that it has run this >>>> way for a year without a hitch and nothing has been changed since >>>> day 1. >>>> >>>> # Global parameters >>>> [global] >>>> workgroup = TRUEVINE >>>> realm = TRUEVINE.LAN >>>> netbios name = DC01 >>>> server role = active directory domain controller >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>> idmap_ldb:use rfc2307 = yes >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2001-10000 >>>> idmap config TRUEVINE:backend = ad >>>> idmap config TRUEVINE:schema_mode = rfc2307 >>>> idmap config TRUEVINE:range = 10001-20000 >>>> domain master = yes >>>> local master = yes >>>> preferred master = yes >>>> os level = 255 >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/truevine.lan/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> >>> >>> Now I have seen your smb.conf, I think I can tell you why you are >>> getting 'NT_STATUS_INVALID_SID' >>> >>> You have 'idmap config' lines, these do nothing on a DC, or rather >>> they did nothing until 4.5.0, now they cause errors, so I would >>> remove them. I would also remove the 'master' lines and the 'os' >>> line. >>> >>> When 4.6.0 comes out, it is my understanding that you will not have >>> this problem, Samba will flat out refuse to start if you have the >>> idmap lines in smb.conf ;-) >>> >>> Rowland >>> >>> >> > > Put 'idmap_ldb:use rfc2307 = yes' back, you need it, the idmap lines I > was referring to, start with 'idmap config' > > Run 'net cache flush' > Ensure the libnss_winbind links exist, the 'passwd' & 'group' lines > in /etc/nsswitch.conf contain 'winbind' and PAM is set up correctly. > It may also help if you restart the DC > > Rowland > >