Hello, after migrating a samba NT-style domain from Samba 4.2.14-debian (debian 8.10) to samba 4.5.12-debian (debian 9.4) We copied all tdb-files to the new machine plus the smb.conf plus /etc/group. The old Samba has tdbsam as backend. we use the same domain and hostname on the new DC as it was set on the old system. We are using bind9 as DNS-backend in the new system. The "samba-tool clasicupgrade" was running without errormessages. DNS ist running. We can resolve all host- and service-records. We get a list of all users and groups with "wbinfo -u" and "wbinfo -g". We changed nsswitch.conf to: --------- passwd: compat winbind group: compat winbind --------- The package libnss-winbind and libpam-winbind are installed, but we got no output with "getent passwd <user>". Then we tried: ------------ root at addc:~# wbinfo -n user S-1-5-21-2513443738-1937210514-736184894-1173 SID_USER (1) root at addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-1173 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-2513443738-1937210514-736184894-1173 to uid ------------ As you can see it is not possible to get a UID for a migrated user. Then we tested the same with the users krbtgt and administrator and we got the following result: ----------- root at addc:~# wbinfo -n krbtgt S-1-5-21-2513443738-1937210514-736184894-502 SID_USER (1) root at addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-502 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-2513443738-1937210514-736184894-502 to uid root at addc:~# wbinfo -n administrator S-1-5-21-2513443738-1937210514-736184894-500 SID_US root at addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-500 0 ----------- We could not get an output from "smbclient -L hostname" we got the following errormessage: ---------- root at addc:~# smbclient -L addc Enter root's password: session setup failed: NT_STATUS_INVALID_SID ---------- With a higer debug-level we got the follwing message ad the end: ---------- root at addc:~# smbclient -L addc -d 10 . . . SPNEGO login failed: Indicates the SID structure is not valid. session setup failed: NT_STATUS_INVALID_SID ---------- Then we checked the local sid for the DC and get the following result: ---------- root at addc:~# net getlocalsid Can't fetch domain SID for name: ADDC ---------- But we get the domain-SID: ---------- root at addc:~# net getdomainsid SID for domain EXAMPLE is: S-1-5-21-2513443738-1937210514-736184894 ---------- What we found: In secrets.tdb (old Samba) is the hostname of the PDC different to the hostname given by the command "hostname". We checked with "net getlocalsid" the sid on the old system and got exactly the same result as we got on the new Samba4-ADDC. I think that someone has changed the hostname and created the problem. Then we took the old hostname (the one we found in secrets.tdb) as the new hostname and NetBIOS-Name and try to migrate, but with the same result :-(. Any hint what we can do or where we could look. Setting up a new domain can't be the solution, to many users to many hosts and to many profiles on windows-clients. Thanks for any usefull help Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180514/dcfb2b23/signature.sig>
On Mon, 14 May 2018 17:37:23 +0200 Stefan Kania via samba <samba at lists.samba.org> wrote:> > > Hello, > > after migrating a samba NT-style domain from Samba 4.2.14-debian > (debian 8.10) to samba 4.5.12-debian (debian 9.4)> root at addc:~# smbclient -L addc -d 10 > . > . > . > SPNEGO login failed: Indicates the SID structure is not valid. > session setup failed: NT_STATUS_INVALID_SID > > ---------- > > Then we checked the local sid for the DC and get the following result: > ---------- > root at addc:~# net getlocalsid > Can't fetch domain SID for name: ADDC > ---------- > > But we get the domain-SID: > ---------- > root at addc:~# net getdomainsid > SID for domain EXAMPLE is: S-1-5-21-2513443738-1937210514-736184894 > ----------OK, lets start with the obvious things, can you post the contents of: /etc/resolv.conf /etc/hostname /etc/hosts The Bind9 conf files from /etc/bind /etc/krb5.conf The result of 'hostname -i' /etc/samba/smb.conf Rowland
On Mon, 14 May 2018 20:29:18 +0200 Stefan Kania <stefan at kania-online.de> wrote:> Lt's go for it :-) > > Am 14.05.2018 um 17:59 schrieb Rowland Penny via samba: > > OK, lets start with the obvious things, can you post the contents > > of: /etc/resolv.conf > ------------ > nameserver 192.168.224.4 > search example.net > ------------> That's it :-) I hope we can find the problem. > > StefanThe only thing I can comment on is, I would have expected more in /etc/bind/named.conf.options, mine is: options { directory "/var/cache/bind"; version "0.0.7"; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation no; auth-nxdomain yes; # conform to RFC1035 =no listen-on-v6 { none; }; listen-on port 53 { 192.168.0.6; 127.0.0.1; }; notify no; empty-zones-enable no; allow-query { 192.168.0.0/24; 127.0.0.1/32; }; allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; Every thing else looks okay. Have you checked if apparmor is running and possibly blocking things Have you checked AD with samba-tool dbcheck Rowland
On Mon, 14 May 2018 21:41:04 +0200 Stefan Kania <stefan at kania-online.de> wrote:> Hi Rowland, > > > Am 14.05.2018 um 21:20 schrieb Rowland Penny via samba: > > On Mon, 14 May 2018 20:29:18 +0200 > > Stefan Kania <stefan at kania-online.de> wrote: > > > >> Lt's go for it :-) > >> > >> Am 14.05.2018 um 17:59 schrieb Rowland Penny via samba: > >>> OK, lets start with the obvious things, can you post the contents > >>> of: /etc/resolv.conf > >> ------------ > >> nameserver 192.168.224.4 > >> search example.net > >> ------------ > > > >> That's it :-) I hope we can find the problem. > >> > >> Stefan > > > > The only thing I can comment on is, I would have expected more > > in /etc/bind/named.conf.options, mine is: > > > > options { > > directory "/var/cache/bind"; > > version "0.0.7"; > > forwarders { 8.8.8.8; 8.8.4.4; }; > > dnssec-validation no; > > auth-nxdomain yes; # conform to RFC1035 =no > > listen-on-v6 { none; }; > > listen-on port 53 { 192.168.0.6; 127.0.0.1; }; > > notify no; > > empty-zones-enable no; > > allow-query { 192.168.0.0/24; 127.0.0.1/32; }; > > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > }; > > > > Every thing else looks okay. > > > I have the same, I put only the "not default" stuff in this posting. > > > Have you checked if apparmor is running and possibly blocking things > It's Debian and not Ubuntu, I now the bi*** of apparmor ;-)Well, I had to mention it, some people swear by apparmor, I normally just swear at it ;-)> > Have you checked AD with samba-tool dbcheck > Yes, everything is fine there. > > That's my problem, everyting "looks" fine :-(. But we MUST find a > solution >When you upgraded, did all the Samba etc packages upgrade ? do you have any stuck packages ? Have you considered using Louis's packages ? This will get you a much newer version and may fix your problem. Rowland
On Tue, 15 May 2018 08:07:27 +0200 Stefan Kania <stefan at kania-online.de> wrote:> Good morning, > > today we started allover with a new machine, we got the same errors > but now we have an errormessage when doing a "samba-tool dbcheck" > --------------- > root at addc:~# samba-tool dbcheck > Checking 664 objects > ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", > line 157, in run > controls=controls, attrs=attrs) > File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line > 198, in check_database > error_count += self.check_object(object.dn, attrs=attrs) > File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line > 1803, in check_object > normalised > self.samdb.dsdb_normalise_attributes(self.samdb_schema, attrname, > [val]) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line > 677, in dsdb_normalise_attributes > return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name, > ldif_elements) >It looks like it is falling over whilst trying to 'normalise' an entry in AD, could this be a 'locale' problem ?? Rowland
Hi Rowland, after we solved the puzzle today here is what we found: The Samba PDC with tdbsam backend was installed a loooooong time ago. Many updates and distributions later, the Samba PDC was still running with with the same databases and the same smb.conf. The only thing that someone sometime changed was the hostname and the NetBIOS-Name in smb.conf. BUT in secrets.tdb was still the old name. Then they used the iso-8859-15 codepage and there were som "fullname"-entries wit "ä" "ö" and "ü". Then there were some local users in passwd-file with the same ID an name as AD-BUILDIN-Accounts. So with all these funny things it was hard to get things running. After we saw the errormessage from "samba-tool dbcheck" I try to let samba-tool fix the problem, but it didn't worked. Then I try to rebuild the index-dbs and that was the point where we found the users with "ä" "ö" and"ü". Because of the character translation there was a lot of garbage inside the AD-database. So we had set up a new samba-PDC with the original name, so we got a new clean secrets.tdb. Then we copied the backup from all *.tdb-files to the new PDC. So that we had an clean running PDC. Then we changed the "fullname"-entries with "pdbedit" copied alle files to the first AD and did the classicupgrade. The we found out, that the sysvol-share had the wrong group set. I went to all the Objects and I found out, that the group "BUILDIN\administrators" had a ObjectClass PosixAccount and a GidNumber. With ldbedit I removed the ObjectClass and the GidNumber. Did a "net chache flush" reseted the permissions and everything was fine. Now we had a nice running first ADDC, then we installed and joined the second ADDC, and replication is working and we are happy. And YES we are using Louis 4.7 packages. HELLLLOOOOOOOO LOOOUUUIIISSSS thanks for the work :-) Stefan Am 15.05.2018 um 09:39 schrieb Rowland Penny via samba:> On Tue, 15 May 2018 08:07:27 +0200 > Stefan Kania <stefan at kania-online.de> wrote: > >> Good morning, >> >> today we started allover with a new machine, we got the same errors >> but now we have an errormessage when doing a "samba-tool dbcheck" >> --------------- >> root at addc:~# samba-tool dbcheck >> Checking 664 objects >> ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", >> line 157, in run >> controls=controls, attrs=attrs) >> File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line >> 198, in check_database >> error_count += self.check_object(object.dn, attrs=attrs) >> File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line >> 1803, in check_object >> normalised >> self.samdb.dsdb_normalise_attributes(self.samdb_schema, attrname, >> [val]) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line >> 677, in dsdb_normalise_attributes >> return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name, >> ldif_elements) >> > > It looks like it is falling over whilst trying to 'normalise' an entry > in AD, could this be a 'locale' problem ?? > > Rowland >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180515/b32f01f9/signature.sig>