Michal Staniszewski
2017-Feb-08 12:44 UTC
[Samba] Duplicate base-DN matches found for <SID=1-5-11> after classic upgrade
Hi,
I've done samba-tool domain classicupgrade from Samba 3.0.9 NT-style domain
to Samba 4.3.11 and have issues with SIDs.
I have an old SUSE 9 server with Samba 3.0.9 NT-style domain (only this PDC, no
BDC).
I migrated this samba configuration to Ubuntu 16.04.1 with Samba 4.3.11 and it
worked very well.
Then I did inplace upgrade to Samba AD DC domain using the following command:
samba-tool domain classicupgrade --debuglevel=10 --dbdir=/root/_pdc/dbdir/
--realm=<MY-REALM-NAME> --use-xattrs=yes --dns-backend=SAMBA_INTERNAL
/root/_pdc/etc/smb.conf
The process went ok and new samba config started to run, but when I did:
smbclient -L localhost -U%
or with any other user I get NT_STATUS_OBJECT_NAME_NOT_FOUND.
So I put log level = 10 to smb.conf, restarted samba and run the same command.
While investigating megabytes of log file I found an error:
less /var/log/samba/log.smbd:
[2017/02/08 12:02:02.162067, 10, pid=1805, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
ldb: ldb_trace_request: SEARCH
dn:
scope: base
expr: (!(objectClass=*)(distinguishedName=*))
attr: memberOf
control: 1.2.840.113556.1.4.529 crit:1 data:yes
... several lines with ldb_trace_request: (something)->search ...
[2017/02/08 12:02:02.162465, 10, pid=1805, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
ldb: ldb_trace_response: DONE
error: 32
msg: Duplicate base-DN matches found for '<SID=S-1-5-11>'
The above message is defined in samba source code in
./source4/dsdb/samdb/ldb_modules/extended_dn_in.c and there is a comment
indicating the code is expecting to see this error but with SID S-1-5-17 and not
with S-1-5-11.
I tried to use ldbsearch to extract all data from sam.ldb and idmap.ldb but I
didn't know how to search it for duplicate SID.
And I'm not sure what to do about it - is it a bug in samba code, maybe in
samba-tool? Or is it somehow related to samba 3 configuration, although I'm
quite sure in my Samba 3 domain there was no such SID anywhere.
In consequence, I cannot do anything with Samba AD DC domain, cannot add new
workstation, cannot login to smbclient, and so on.
Below you can investigate my Samba 3 global configuration section before
upgrade:
[global]
dos charset = CP852
unix charset = UTF8
display charset = UTF8
workgroup = <MY-NETBIOS-DOMAIN-NAME>
server string = <MY-HOST-NAME>
passdb backend = tdbsam
log file = /var/log/samba.log
smb ports = 139
logon script = logon_script.bat
logon path logon home domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=<MY-NETBIOS-DOMAIN-NAME>
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=<MY-NETBIOS-DOMAIN-NAME>
invalid users = root
admin users = <LIST-OF-ADMIN-USERS>
hosts allow = 192.168.1.0/24
nt acl support = No
oplocks = No
Can anyone help me fix this?
Thanks,
Michal
Rowland Penny
2017-Feb-08 13:41 UTC
[Samba] Duplicate base-DN matches found for <SID=1-5-11> after classic upgrade
On Wed, 8 Feb 2017 12:44:41 +0000 Michal Staniszewski via samba <samba at lists.samba.org> wrote:> Hi, > > I've done samba-tool domain classicupgrade from Samba 3.0.9 NT-style > domain to Samba 4.3.11 and have issues with SIDs. > > I have an old SUSE 9 server with Samba 3.0.9 NT-style domain (only > this PDC, no BDC). I migrated this samba configuration to Ubuntu > 16.04.1 with Samba 4.3.11 and it worked very well. Then I did inplace > upgrade to Samba AD DC domain using the following command: > > samba-tool domain classicupgrade --debuglevel=10 > --dbdir=/root/_pdc/dbdir/ --realm=<MY-REALM-NAME> --use-xattrs=yes > --dns-backend=SAMBA_INTERNAL /root/_pdc/etc/smb.conf > > The process went ok and new samba config started to run, but when I > did: > > smbclient -L localhost -U% > > or with any other user I get NT_STATUS_OBJECT_NAME_NOT_FOUND. > > So I put log level = 10 to smb.conf, restarted samba and run the same > command. While investigating megabytes of log file I found an error: > > less /var/log/samba/log.smbd: > > [2017/02/08 12:02:02.162067, 10, pid=1805, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: > ldb_trace_request: SEARCH dn: > scope: base > expr: (!(objectClass=*)(distinguishedName=*)) > attr: memberOf > control: 1.2.840.113556.1.4.529 crit:1 data:yes > > ... several lines with ldb_trace_request: (something)->search ... > > [2017/02/08 12:02:02.162465, 10, pid=1805, effective(0, 0), real(0, > 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: > ldb_trace_response: DONE error: 32 > msg: Duplicate base-DN matches found for '<SID=S-1-5-11>' > > The above message is defined in samba source code > in ./source4/dsdb/samdb/ldb_modules/extended_dn_in.c and there is a > comment indicating the code is expecting to see this error but with > SID S-1-5-17 and not with S-1-5-11. > > I tried to use ldbsearch to extract all data from sam.ldb and > idmap.ldb but I didn't know how to search it for duplicate SID. And > I'm not sure what to do about it - is it a bug in samba code, maybe > in samba-tool? Or is it somehow related to samba 3 configuration, > although I'm quite sure in my Samba 3 domain there was no such SID > anywhere. > > In consequence, I cannot do anything with Samba AD DC domain, cannot > add new workstation, cannot login to smbclient, and so on. > > Below you can investigate my Samba 3 global configuration section > before upgrade: > > [global] > dos charset = CP852 > unix charset = UTF8 > display charset = UTF8 > workgroup = <MY-NETBIOS-DOMAIN-NAME> > server string = <MY-HOST-NAME> > passdb backend = tdbsam > log file = /var/log/samba.log > smb ports = 139 > logon script = logon_script.bat > logon path > logon home > domain logons = Yes > os level = 64 > preferred master = Yes > domain master = Yes > wins support = Yes > ldap admin dn = cn=Administrator,dc=<MY-NETBIOS-DOMAIN-NAME> > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Computers > ldap suffix = dc=<MY-NETBIOS-DOMAIN-NAME> > invalid users = root > admin users = <LIST-OF-ADMIN-USERS> > hosts allow = 192.168.1.0/24 > nt acl support = No > oplocks = No > > Can anyone help me fix this? > > Thanks, > Michal > >Lets start by you posting the smb.conf from the new AD DC ;-) Rowland