samba - Feb 2021 - Warning messages when provisioning an ADDC

I've installed and provisioned a Samba ADDC in an unprivileged Linux
container. The details can be found in my post "Samba AD DC in an
unprivileged lxc revisited".
The ADDC seems to work properly but there is one detail that still bothers
me. In the output of samba-tool were the following warnings:
INFO 2021-02-02 19:51:42,853 pid:942
/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py
#1592: Setting up self join
Repacking database from v1 to v2 format (first record
CN=dhcp-Properties,CN=Schema,CN=Configuration,DC=....,DC=....,DC=....)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record
CN=mSMQMigratedUser-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC....,DC=....,DC=....)
Repacking database from v1 to v2 format (first record
CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=.....,DC=....,DC=....)map_smb4_to_nfs4_id: Unknown gid
[30000]
map_smb4_to_nfs4_id: Unknown gid [30001]
map_smb4_to_nfs4_id: Unknown gid [30002]
....
map_smb4_to_nfs4_id: Unknown gid [30003]
map_smb4_to_nfs4_id: Unknown gid [30007]
INFO 2021-02-02 19:51:45,498 pid:942
/usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py
#1143: Adding DNS accounts
INFO 2021-02-02 19:51:45,517 pid:942
/usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py
#1177: Creating
CN=MicrosoftDNS,CN=System,DC=....,DC=....,DC=....

Can someone shed a light on what's causing these "Unknown gid"
messages and
what it could mean for the operation of the ADDC ?

Thanks !
------------
Thomas

Am 2/5/21 um 11:54 AM schrieb Thomas Geppert via samba:
> I've installed and provisioned a Samba ADDC in an unprivileged Linux
> container. The details can be found in my post "Samba AD DC in an
> unprivileged lxc revisited".
...which was a f?abbergasting read! Well done, albeit I fear there are 
still some problem due to the idmapping issue you're seeing.
> The ADDC seems to work properly but there is one detail that still bothers
> me. In the output of samba-tool were the following warnings:
> INFO 2021-02-02 19:51:42,853 pid:942
> /usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py
> #1592: Setting up self join
> Repacking database from v1 to v2 format (first record
> CN=dhcp-Properties,CN=Schema,CN=Configuration,DC=....,DC=....,DC=....)
> Repack: re-packed 10000 records so far
> Repacking database from v1 to v2 format (first record
>
CN=mSMQMigratedUser-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC>
....,DC=....,DC=....)
> Repacking database from v1 to v2 format (first record
> CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP
> Security,CN=System,DC=.....,DC=....,DC=....)map_smb4_to_nfs4_id: Unknown
gid
> [30000]
> map_smb4_to_nfs4_id: Unknown gid [30001]
> map_smb4_to_nfs4_id: Unknown gid [30002]
> ....
> map_smb4_to_nfs4_id: Unknown gid [30003]
> map_smb4_to_nfs4_id: Unknown gid [30007]
> INFO 2021-02-02 19:51:45,498 pid:942
> /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py
> #1143: Adding DNS accounts
> INFO 2021-02-02 19:51:45,517 pid:942
> /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py
> #1177: Creating
> CN=MicrosoftDNS,CN=System,DC=....,DC=....,DC=....
> 
> Can someone shed a light on what's causing these "Unknown
gid" messages and
> what it could mean for the operation of the ADDC ?
the module does a getgrgid() call on those ids and apparently nsswitch 
doesn't know about those ids. Do you have winbind in nsswitch.conf? 
Fwiw, I have no idea if that is sensible on an AD DC... :)

Having said that, when the mapping fails the full NT ACL will not be 
stored correctly, so this likely means your AD DC setup is screwed. What 
does samba-tool ntacl sysvolcheck/sysvolreset have to say on this?

Cheers!
-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210205/be6b55a2/OpenPGP_signature.sig>