Rowland Penny
2022-Oct-27 11:14 UTC
[Samba] Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server
Moved from samba-technical: On 27/10/2022 11:44, Harald Hannelius wrote:> > On Thu, 27 Oct 2022, Rowland Penny via samba-technical wrote: >> On 27/10/2022 10:57, Harald Hannelius via samba-technical wrote: >>> >>> I upgraded my AD DS servers from Debian 10 to Debian 11 bullseye >>> which also upgraded Samba from 4.9.5 to 4.13.13. >>> >>> Now I notice that I am unable to resolve usernames on the member >>> servers. I have only numbers in the processlist for example. 'getent >>> passwd "DOMAIN\harald"' doesn't return anything. >>> >>> Did I miss something in the upgrade process? >> >> No idea, you haven't given us enough to work with. >> >> How did you upgrade your DC's ? > > apt-get upgrade && apt-get dist-upgradeNow that is generally okay for the base OS, but I wouldn't have done that. I would have created a new computer (in a VM or on bare metal) using Bullseye and the installed Samba from backports, joined this as a new DC, then once I was sure everything was okay, I would demote the old DC. There is just too big a jump between 4.9.5 and 4.13.x> >> Did you upgrade them in place or did you create new DC's and demote >> the old ones ? > > In place.See above.> >> What idmap backend are you using on the Unis domain members ? > > ????idmap config domain:unix_primary_group = yes > ????idmap config domain:unix_nss_info = yes > ????idmap config domain:range = 500-4000000Was this domain upgraded from an old NT4-style domain ?> ????idmap config domain:schema_mode = rfc2307 > ????idmap config domain:backend = ad > ????idmap config * : range = 5000000-9000000The default '*' domain is meant for the well known SIDS (of which there are less than 200) and anything outside the 'DOMAIN' domain, do you really expect nearly 4 million connections from outside the domain ?> ????idmap config * : backend = tdb > >>> Now when I restarted the smbd, winbind and nmbd I am unable to >>> connect to the member server. >> >> Sounds like a possible dns issue. > > I have to check that next time I try doing this upgrade. Thanks. > >> This isn't really the place to be discussing this, you should have >> posted to the samba mailing list. > > Oh, sorry. I'll repost there. > > Thank You for Your time, appreciated.Please post the contents of these files: /etc/hostname /etc/hosts /etc/resolv.conf /etc/krb5.conf /etc/samba/samba.conf from a DC and a Unix domain member Rowland
Harald Hannelius
2022-Oct-28 08:12 UTC
[Samba] Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server
On Thu, 27 Oct 2022, Rowland Penny via samba wrote:> Moved from samba-technical: > On 27/10/2022 11:44, Harald Hannelius wrote: >> On Thu, 27 Oct 2022, Rowland Penny via samba-technical wrote: >>> On 27/10/2022 10:57, Harald Hannelius via samba-technical wrote: >>>> >>>> I upgraded my AD DS servers from Debian 10 to Debian 11 bullseye which >>>> also upgraded Samba from 4.9.5 to 4.13.13. >>>> >>>> Now I notice that I am unable to resolve usernames on the member servers. >>>> I have only numbers in the processlist for example. 'getent passwd >>>> "DOMAIN\harald"' doesn't return anything. >>>> >>>> Did I miss something in the upgrade process? >>> >>> No idea, you haven't given us enough to work with. >>> >>> How did you upgrade your DC's ? >> >> apt-get upgrade && apt-get dist-upgrade > > Now that is generally okay for the base OS, but I wouldn't have done that. I > would have created a new computer (in a VM or on bare metal) using Bullseye > and the installed Samba from backports, joined this as a new DC, then once I > was sure everything was okay, I would demote the old DC. There is just too > big a jump between 4.9.5 and 4.13.xI have to DS (DC) servers. You suggest to add a third, promote that, demote the old ones and then promote them when they are upgraded? I would be nice if a dist-upgrade would fix everything :)>>> Did you upgrade them in place or did you create new DC's and demote the >>> old ones ? >> >> In place. > > See above. > >> >>> What idmap backend are you using on the Unis domain members ? >> >> ????idmap config domain:unix_primary_group = yes >> ????idmap config domain:unix_nss_info = yes >> ????idmap config domain:range = 500-4000000 > > Was this domain upgraded from an old NT4-style domain ? > >> ????idmap config domain:schema_mode = rfc2307 >> ????idmap config domain:backend = ad >> ????idmap config * : range = 5000000-9000000 > > The default '*' domain is meant for the well known SIDS (of which there are > less than 200) and anything outside the 'DOMAIN' domain, do you really expect > nearly 4 million connections from outside the domain ?Almost all connections come from our other Windows AD domain. I have been bitten hard a few times when tinkering with this so I am reluctant to change anything that works :)>> ????idmap config * : backend = tdb >> >>>> Now when I restarted the smbd, winbind and nmbd I am unable to connect to >>>> the member server. >>> >>> Sounds like a possible dns issue. >> >> I have to check that next time I try doing this upgrade. Thanks. >> >> Thank You for Your time, appreciated. > > Please post the contents of these files: > /etc/hostname > /etc/hosts > /etc/resolv.conf > /etc/krb5.conf > /etc/samba/samba.conf > > from a DC and a Unix domain member========== DC (Samba 4.9.5): =============== # cat /etc/hostname sad1 # cat /etc/hosts 127.0.0.1 localhost 193.167.33.91 sad1.sad.arcada.fi sad1.arcada.fi sad1 2001:708:170:33::91 sad1.sad.arcada.fi sad1.arcada.fi sad1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # cat /etc/resolv.conf search sad.arcada.fi arcada.fi nameserver 2001:708:170:33::91 nameserver 2001:708:170:33::92 # cat /etc/krb5.conf [libdefaults] default_realm = SAD.ARCADA.FI dns_lookup_realm = false dns_lookup_kdc = true # testparm rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) WARNING: The "syslog" option is deprecated Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) WARNING: The "syslog" option is deprecated Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions # Global parameters [global] dns forwarder = 2001:708:170:33::232 2001:708:170:33::246 logging = syslog min domain uid = 500 passdb backend = samba_dsdb realm = SAD.ARCADA.FI server role = active directory domain controller workgroup = SAD rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb map archive = No vfs objects = dfs_samba4 acl_xattr [netlogon] path = /var/lib/samba/sysvol/sad.arcada.fi/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ========== Domain member (also 4.9.5); ============== # cat /etc/hostname domus.sad.arcada.fi # cat /etc/hosts 127.0.0.1 localhost 193.167.33.91 sad1.arcada.fi sad1 193.167.33.3 domus.sad.arcada.fi domus 2001:708:170:33:3 domus.sad.arcada.fi domus # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # cat /etc/resolv.conf domain sad.arcada.fi search sad.arcada.fi arcada.fi nameserver 2001:708:170:33::232 nameserver 2001:708:170:33::246 nameserver 193.167.33.232 nameserver 193.167.33.246 (our resolvers have glue for the zones) # cat /etc/krb5.conf [libdefaults] default_realm = SAD.ARCADA.FI dns_lookup_realm = false dns_lookup_kdc = true # testparm rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[homes]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] dedicated keytab file = /etc/krb5.keytab disable spoolss = Yes kerberos method = secrets and keytab load printers = No log file = /var/log/samba/log.%m min domain uid = 500 printcap name = /dev/null realm = SAD.ARCADA.FI security = ADS username map = /etc/samba/user.map utmp = Yes winbind enum groups = Yes winbind enum users = Yes winbind refresh tickets = Yes winbind use default domain = Yes workgroup = SAD idmap config sad:unix_primary_group = yes idmap config sad:unix_nss_info = yes idmap config sad:range = 500-4000000 idmap config sad:schema_mode = rfc2307 idmap config sad:backend = ad idmap config * : range = 5000000-9000000 idmap config * : backend = tdb map acl inherit = Yes printing = bsd vfs objects = acl_xattr [homes] browseable = No comment = Home Directories create mask = 0604 directory mask = 0705 force directory mode = 0705 invalid users = root altiuser read only = No -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020