samba - Jun 2022 - More Active Directory Domain Corruption.

On 6/1/22 18:33, Andrew Bartlett via samba wrote:
> Jumping back to the top of this chain again, as it has gone down
> various ratholes.
>
> On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
>> I have unable to process any Domain Logins of any type on OpenSuse
>> Leap
>> 15.3. I get an invalid SID error.
>> This has been isolated to just one of my Domain Controllers.
>> Unfortunately, its my Primary Domain Controller.
>>
>> Basically normal Samba and Domain AD Logins fail with
>>
>> NT_STATUS_INVALID_SID
> So, what I would say is that idmap.ldb is not syncronised so this might
> explain that being on just one DC.  Digging into this may show what the
> issue is there, otherwise just build a new DC.  (these can/should be
> VMs).
>
> As you have been using Samba as a fileserver also, you will need to
> take care that any new DC or if you removed idmap.ldb to have it
> rebuilt will change the IDMAP, eg the effective owner of files.
>
> Personally I suspect that file may have been edited or damaged.
>
> This is why we suggest separation, so traditional Samba fileserver
> rules can be used to manage idmap, as that is more suitable (IDMAP
> management in the AD DC is poor).
>
> We have already determined that while there is an odd DN in the DB, it
> isn't fatal, just exposes a less-than-ideal behaviour in dbcheck.
>
> Within your physical constraints, do please try to follow our
> deployment recommendations, it will help us help you.
>
> Andrew Bartlett
>
So I didn't fix it. I followed your advice an instructions, but it still 
didn't give me the desired results.

Here is what I did:

I backed up the data using the samba-tool domain backup offline command. 
(the online version failed due to the SID error)

WARNING 2022-06-01 18:38:25,505 pid:19047 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2114: 
More than one IPv4 address found. Using 172.17.0.1

This IP address is an interface for a Docker image. I probably should 
restrict that to the actual of the ethernet adapter.

so I added interfaces = eth1 lo

bind interfaces only = yes

to smb.conf.

I then methodically went through and purged all tdb and ldb files. Then 
I re-joined the DC to the Domain. During Provision, this error appeared.

INFO 2022-06-01 19:01:33,933 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2108: 
Looking up IPv4 addresses
INFO 2022-06-01 19:01:33,933 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2125: 
Looking up IPv6 addresses
WARNING 2022-06-01 19:01:33,934 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2132: No 
IPv6 address will be assigned
INFO 2022-06-01 19:01:34,415 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2278: 
Setting up secrets.ldb
INFO 2022-06-01 19:01:34,653 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2283: 
Setting up the registry
INFO 2022-06-01 19:01:34,755 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2286: 
Setting up the privileges database
INFO 2022-06-01 19:01:35,354 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2289: 
Setting up idmap db
INFO 2022-06-01 19:01:35,739 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2296: 
Setting up SAM db
INFO 2022-06-01 19:01:35,840 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #880: 
Setting up sam.ldb partitions and settings
INFO 2022-06-01 19:01:35,842 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #892: 
Setting up sam.ldb rootDSE
INFO 2022-06-01 19:01:35,916 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #1305: 
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint 
on local domainSIDs

INFO 2022-06-01 19:01:36,116 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2343: 
The Kerberos KDC configuration for Samba AD is located at 
/var/lib/samba/private/kdc.conf
INFO 2022-06-01 19:01:36,117 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2349: A 
Kerberos configuration suitable for Samba AD has been generated at 
/var/lib/samba/private/krb5.conf
INFO 2022-06-01 19:01:36,117 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2350: 
Merge the contents of this file with your system krb5.conf or replace it 
with this one. Do not create a symlink!
Provision OK for domain DN DC=pukey
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[402/1550] 
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[804/1550] 
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[1206/1550] 
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[1550/1550] 
linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=pukey] objects[402/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[804/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1206/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1608/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1653/1653] 
linked_values[49/49]
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=pukey] objects[2055/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[2457/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[2859/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[3261/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[3306/1653] 
linked_values[98/49]
Replicating critical objects from the base DN of the domain
Partition[DC=pukey] objects[98/98] linked_values[38/38]
Partition[DC=pukey] objects[324/324] linked_values[46/46]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=pukey
Partition[DC=DomainDnsZones,DC=pukey] objects[45/45] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=pukey
Partition[DC=ForestDnsZones,DC=pukey] objects[26/26] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=pukey] objects[3] linked_values[0]
Committing SAM database
Repacking database from v1 to v2 format (first record 
CN=ms-Exch-Configuration-Container,CN=Schema,CN=Configuration,DC=pukey)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record 
CN=IntellimirrorGroup-Display,CN=419,CN=DisplaySpecifiers,CN=Configuration,DC=pukey)
Repacking database from v1 to v2 format (first record 
DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=pukey)
Repacking database from v1 to v2 format (first record 
DC=f1089f36-ffbd-4d60-932c-3f71addac95a,DC=_msdcs.pukey,CN=MicrosoftDNS,DC=ForestDnsZones,DC=pukey)
Repacking database from v1 to v2 format (first record 
CN=6bcd5684-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=pukey)
INFO 2022-06-01 19:01:48,444 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1101: Adding 1 remote 
DNS records for OLYMPIA.pukey
INFO 2022-06-01 19:01:48,579 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1164: Adding DNS A 
record OLYMPIA.pukey for IPv4 IP: 192.168.0.4
INFO 2022-06-01 19:01:48,771 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1192: Adding DNS CNAME 
record d02fb6d3-feec-46ec-bcb1-dad7bdd64e27._msdcs.pukey for OLYMPIA.pukey
INFO 2022-06-01 19:01:48,975 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1217: All other DNS 
records (like _ldap SRV records) will be created samba_dnsupdate on 
first startup
INFO 2022-06-01 19:01:48,975 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1222: Replicating new 
DNS records in DC=DomainDnsZones,DC=pukey
Partition[DC=DomainDnsZones,DC=pukey] objects[2/2] linked_values[0/0]
INFO 2022-06-01 19:01:49,198 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1222: Replicating new 
DNS records in DC=ForestDnsZones,DC=pukey
Partition[DC=ForestDnsZones,DC=pukey] objects[2/2] linked_values[0/0]
INFO 2022-06-01 19:01:49,357 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1237: Sending 
DsReplicaUpdateRefs for all the replicated partitions
INFO 2022-06-01 19:01:49,561 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1267: Setting 
isSynchronized and dsServiceName
INFO 2022-06-01 19:01:49,625 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1282: Setting up 
secrets database
INFO 2022-06-01 19:01:50,324 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1544: Joined domain 
PUKEY-NT as a DC

After Provision:wbinfo -S S-1-5-21-2139989288-483860436-2398042574-2000
failed to call wbcSidToUid: WBC_ERR_UNKNOWN_FAILURE
Could not convert sid S-1-5-21-2139989288-483860436-2398042574-2000 to uid

So this appears to have had no effect. Even after I purged 
/var/lib/samba/private

On Wed, 2022-06-01 at 19:11 -0400, Zombie Ryushu wrote:
>     On 6/1/22 18:33, Andrew Bartlett via
>       samba wrote:
> 
>     
>     
> >       Jumping back to the top of this chain again, as it has gone
> > downvarious ratholes. 
> > On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
> >       
> > >         I have unable to process any Domain Logins of any type on
> > > OpenSuseLeap 15.3. I get an invalid SID error.This has been
> > > isolated to just one of my Domain Controllers. Unfortunately, its
> > > my Primary Domain Controller.
> > > Basically normal Samba and Domain AD Logins fail with
> > > NT_STATUS_INVALID_SID
> > >       
> > 
> >       So, what I would say is that idmap.ldb is not syncronised so
> > this mightexplain that being on just one DC.  Digging into this may
> > show what theissue is there, otherwise just build a new DC.  (these
> > can/should beVMs). 
> > As you have been using Samba as a fileserver also, you will need
> > totake care that any new DC or if you removed idmap.ldb to have
> > itrebuilt will change the IDMAP, eg the effective owner of files. 
> > Personally I suspect that file may have been edited or damaged.
> > This is why we suggest separation, so traditional Samba
> > fileserverrules can be used to manage idmap, as that is more
> > suitable (IDMAPmanagement in the AD DC is poor).
> > We have already determined that while there is an odd DN in the DB,
> > itisn't fatal, just exposes a less-than-ideal behaviour in
> > dbcheck.  
> > Within your physical constraints, do please try to follow
> > ourdeployment recommendations, it will help us help you.
> > Andrew Bartlett
> > 
> >     
> 
>     So I didn't fix it. I followed your advice an instructions, but
>       it still didn't give me the desired results.
>     Here is what I did:
>     I backed up the data using the samba-tool domain backup offline
>       command. (the online version failed due to the SID error)
>     WARNING
>           2022-06-01 18:38:25,505 pid:19047
>           /usr/lib64/python3.6/site-
> packages/samba/provision/__init__.py
>           #2114: More than one IPv4 address found. Using 172.17.0.1
>     This IP address
>           is an interface for a Docker image. I probably should
>         restrict that to the actual of the ethernet adapter.
>     
>         so I added interfaces = eth1 lo
>     bind interfaces only = yes 
> 
>       
>     to smb.conf.
>     I then methodically went through and purged all tdb and ldb
>       files. Then I re-joined the DC to the Domain. During Provision,
>       this error appeared.
>     
        INFO
          2022-06-01 19:01:50,324 pid:23908
          /usr/lib64/python3.6/site-packages/samba/join.py #1544:
Joined
          domain PUKEY-NT as a DC

        
        

To be clear, this is success.   I don't know why you get idmap errors
but I suggest you look into the winbindd logs for further clues. 

I would again suggest to make your install as boring as possible, but
if that still doesn't help you may need to seek professional advise
from a commercial support provider who can spend some time to really
dig into this, or just rebuild the domain in as boring a manner
possible.  I don't say so lightly but this thread isn't really getting
anywhere fast and is getting distracted by the various differences.

You are not the only one, but there is a lot of jumping to conclusions
here and that isn't helping.  Turn up the log level and spend a lot of
time reading that output around the time when specific failures are
seen is all I can suggest. 

Sorry,

Andrew Bartlett

--
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead, Catalyst IT  
https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions