samba - Oct 2022 - Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server

Moved from samba-technical:

On 27/10/2022 11:44, Harald Hannelius wrote:
> 
> On Thu, 27 Oct 2022, Rowland Penny via samba-technical wrote:
>> On 27/10/2022 10:57, Harald Hannelius via samba-technical wrote:
>>>
>>> I upgraded my AD DS servers from Debian 10 to Debian 11 bullseye 
>>> which also upgraded Samba from 4.9.5 to 4.13.13.
>>>
>>> Now I notice that I am unable to resolve usernames on the member 
>>> servers. I have only numbers in the processlist for example.
'getent
>>> passwd "DOMAIN\harald"' doesn't return anything.
>>>
>>> Did I miss something in the upgrade process?
>>
>> No idea, you haven't given us enough to work with.
>>
>> How did you upgrade your DC's ?
> 
> apt-get upgrade && apt-get dist-upgrade
Now that is generally okay for the base OS, but I wouldn't have done 
that. I would have created a new computer (in a VM or on bare metal) 
using Bullseye and the installed Samba from backports, joined this as a 
new DC, then once I was sure everything was okay, I would demote the old 
DC. There is just too big a jump between 4.9.5 and 4.13.x
> 
>> Did you upgrade them in place or did you create new DC's and demote
>> the old ones ?
> 
> In place.
See above.
> 
>> What idmap backend are you using on the Unis domain members ?
> 
>  ????idmap config domain:unix_primary_group = yes
>  ????idmap config domain:unix_nss_info = yes
>  ????idmap config domain:range = 500-4000000
Was this domain upgraded from an old NT4-style domain ?
>  ????idmap config domain:schema_mode = rfc2307
>  ????idmap config domain:backend = ad
>  ????idmap config * : range = 5000000-9000000
The default '*' domain is meant for the well known SIDS (of which there 
are less than 200) and anything outside the 'DOMAIN' domain, do you 
really expect nearly 4 million connections from outside the domain ?
>  ????idmap config * : backend = tdb
> 
>>> Now when I restarted the smbd, winbind and nmbd I am unable to 
>>> connect to the member server.
>>
>> Sounds like a possible dns issue.
> 
> I have to check that next time I try doing this upgrade. Thanks.
> 
>> This isn't really the place to be discussing this, you should have 
>> posted to the samba mailing list.
> 
> Oh, sorry. I'll repost there.
> 
> Thank You for Your time, appreciated.
Please post the contents of these files:
/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
/etc/samba/samba.conf

from a DC and a Unix domain member

Rowland

On Thu, 27 Oct 2022, Rowland Penny via samba wrote:
> Moved from samba-technical:
> On 27/10/2022 11:44, Harald Hannelius wrote:
>> On Thu, 27 Oct 2022, Rowland Penny via samba-technical wrote:
>>> On 27/10/2022 10:57, Harald Hannelius via samba-technical wrote:
>>>> 
>>>> I upgraded my AD DS servers from Debian 10 to Debian 11
bullseye which
>>>> also upgraded Samba from 4.9.5 to 4.13.13.
>>>> 
>>>> Now I notice that I am unable to resolve usernames on the
member servers.
>>>> I have only numbers in the processlist for example. 'getent
passwd
>>>> "DOMAIN\harald"' doesn't return anything.
>>>> 
>>>> Did I miss something in the upgrade process?
>>> 
>>> No idea, you haven't given us enough to work with.
>>> 
>>> How did you upgrade your DC's ?
>> 
>> apt-get upgrade && apt-get dist-upgrade
>
> Now that is generally okay for the base OS, but I wouldn't have done
that. I
> would have created a new computer (in a VM or on bare metal) using Bullseye
> and the installed Samba from backports, joined this as a new DC, then once
I
> was sure everything was okay, I would demote the old DC. There is just too 
> big a jump between 4.9.5 and 4.13.x
I have to DS (DC) servers. You suggest to add a third, promote that, demote 
the old ones and then promote them when they are upgraded?

I would be nice if a dist-upgrade would fix everything :)
>>> Did you upgrade them in place or did you create new DC's and
demote the
>>> old ones ?
>> 
>> In place.
>
> See above.
>
>> 
>>> What idmap backend are you using on the Unis domain members ?
>>
>>  ????idmap config domain:unix_primary_group = yes
>>  ????idmap config domain:unix_nss_info = yes
>>  ????idmap config domain:range = 500-4000000
>
> Was this domain upgraded from an old NT4-style domain ?
>
>>  ????idmap config domain:schema_mode = rfc2307
>>  ????idmap config domain:backend = ad
>>  ????idmap config * : range = 5000000-9000000
>
> The default '*' domain is meant for the well known SIDS (of which
there are
> less than 200) and anything outside the 'DOMAIN' domain, do you
really expect
> nearly 4 million connections from outside the domain ?
Almost all connections come from our other Windows AD domain.

I have been bitten hard a few times when tinkering with this so I am 
reluctant to change anything
that works :)

>>  ????idmap config * : backend = tdb
>> 
>>>> Now when I restarted the smbd, winbind and nmbd I am unable to
connect to
>>>> the member server.
>>> 
>>> Sounds like a possible dns issue.
>> 
>> I have to check that next time I try doing this upgrade. Thanks.
>> 
>> Thank You for Your time, appreciated.
>
> Please post the contents of these files:
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
> /etc/krb5.conf
> /etc/samba/samba.conf
>
> from a DC and a Unix domain member

========== DC (Samba 4.9.5): ===============
# cat /etc/hostname
sad1
  # cat /etc/hosts
127.0.0.1       localhost
193.167.33.91   sad1.sad.arcada.fi      sad1.arcada.fi  sad1
2001:708:170:33::91     sad1.sad.arcada.fi  sad1.arcada.fi  sad1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# cat /etc/resolv.conf
search sad.arcada.fi arcada.fi
nameserver      2001:708:170:33::91
nameserver      2001:708:170:33::92
# cat /etc/krb5.conf
[libdefaults]
         default_realm = SAD.ARCADA.FI
         dns_lookup_realm = false
         dns_lookup_kdc = true
# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
         dns forwarder = 2001:708:170:33::232 2001:708:170:33::246
         logging = syslog
         min domain uid = 500
         passdb backend = samba_dsdb
         realm = SAD.ARCADA.FI
         server role = active directory domain controller
         workgroup = SAD
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         vfs objects = dfs_samba4 acl_xattr


[netlogon]
         path = /var/lib/samba/sysvol/sad.arcada.fi/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No


========== Domain member (also 4.9.5); ==============
# cat /etc/hostname
domus.sad.arcada.fi

  # cat /etc/hosts
127.0.0.1       localhost
193.167.33.91   sad1.arcada.fi  sad1
193.167.33.3    domus.sad.arcada.fi     domus
2001:708:170:33:3       domus.sad.arcada.fi     domus

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# cat /etc/resolv.conf
domain sad.arcada.fi
search sad.arcada.fi arcada.fi
nameserver      2001:708:170:33::232
nameserver      2001:708:170:33::246
nameserver 193.167.33.232
nameserver 193.167.33.246
(our resolvers have glue for the zones)
# cat /etc/krb5.conf
[libdefaults]
default_realm = SAD.ARCADA.FI
dns_lookup_realm = false
dns_lookup_kdc = true
# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
         dedicated keytab file = /etc/krb5.keytab
         disable spoolss = Yes
         kerberos method = secrets and keytab
         load printers = No
         log file = /var/log/samba/log.%m
         min domain uid = 500
         printcap name = /dev/null
         realm = SAD.ARCADA.FI
         security = ADS
         username map = /etc/samba/user.map
         utmp = Yes
         winbind enum groups = Yes
         winbind enum users = Yes
         winbind refresh tickets = Yes
         winbind use default domain = Yes
         workgroup = SAD
         idmap config sad:unix_primary_group = yes
         idmap config sad:unix_nss_info = yes
         idmap config sad:range = 500-4000000
         idmap config sad:schema_mode = rfc2307
         idmap config sad:backend = ad
         idmap config * : range = 5000000-9000000
         idmap config * : backend = tdb
         map acl inherit = Yes
         printing = bsd
         vfs objects = acl_xattr


[homes]
         browseable = No
         comment = Home Directories
         create mask = 0604
         directory mask = 0705
         force directory mode = 0705
         invalid users = root altiuser
         read only = No



-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020