Ben Curtis
2023-May-11  21:59 UTC
[Samba] Upgrade Samba AD from 4.3 to 4.7 - ID mapping failure
Hi all, I am trying to upgrade my Samba 4.3 AD to a Samba 4.7 AD, and am having some problems with ID mapping. My smb.conf file has been updated as per the documentation ( https://wiki.samba.org/index.php/Updating_Samba and https://wiki.samba. org/index.php/Idmap_config_ad). A copy of it is linked below. When running: `ldbedit -H /var/lib/samba/private/sam.ldb 'samaccountname=myuser'` (or with domain users) there are no uidNumber or gidNumber in my AD. I have tried adding them. The AD was supplying ids, however, as `id` as a logged in user in Ubuntu shows: `uid=385601105(myuser) gid=385600513(domain users) groups=385600513(domain users)` While systems using LDAP seem to be working with the new AD controller, `wbinfo` is failing. For instance see below. The logs linked are all debug log level 5. ``` ~$ net cache flush && wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user testing ~$ net cache flush && wbinfo -n myuser S-1-5-21-1057597257-2002501470-2521000767-1105 SID_USER (1) ~$ net cache flush && wbinfo -s S-1-5-21-1057597257-2002501470- 2521000767-1105 CORP\myuser 1 ~$ net cache flush && wbinfo --user-sidinfo S-1-5-21-1057597257- 2002501470-2521000767-1105 failed to call wbcGetpwsid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user sid S-1-5-21-1057597257-2002501470- 2521000767-1105 ``` You can see from the output that I'm getting the errors that seem to usually come from no gid/uid in objects. The logs show errors for user lookup such as `NT_STATUS_NO_SUCH_USER`. I have tried hardcoding in `uidNumber` and `gidNumber` into myuser and Domain Users with `ldbedit` but no luck there. Any help would be appreciated. smb.conf: https://www.dropbox.com/s/iu2hx2q32fi851h/smb.conf.txt?dl=0 wbinfo -i myuser log: https://www.dropbox.com/s/zzb2ixlj41amu3v/wbinfo_-i_myuser.txt?dl=0 wbinfo -n myuser log: https://www.dropbox.com/s/dwpv6mz45su172k/wbinfo%20-n%20myuser.txt?dl=0 wbinfo -s S-1-5-21-1057597257-2002501470-2521000767-1105 log: https://www.dropbox.com/s/kd03sn39gf3whhj/wbinfo%20-s%20sid.txt?dl=0 wbinfo -s S-1-5-21-1057597257-2002501470-2521000767-1105 log: https://www.dropbox.com/s/1q1wfqbeg7bc63m/wbinfo_--user-sidinfo_sid.txt?dl=0 Thanks, Ben
Ben Curtis
2023-May-11  22:28 UTC
[Samba] Upgrade Samba AD from 4.3 to 4.7 - ID mapping failure
Well, it seems `smbcontrol` wasn't reloading properly. After adding the `gidNumber` to domain users and fully restarting Samba, all started working again. On Thu, 2023-05-11 at 17:59 -0400, Ben Curtis via samba wrote:> Hi all, > I am trying to upgrade my Samba 4.3 AD to a Samba 4.7 AD, and am > havingsome problems with ID mapping. > My smb.conf file has been updated as per the documentation ( > https://wiki.samba.org/index.php/Updating_Samba and > https://wiki.samba.org/index.php/Idmap_config_ad). A copy of it is > linked below. > When running: > `ldbedit -H /var/lib/samba/private/sam.ldb 'samaccountname=myuser'` > (or with domain users) there are no uidNumberor gidNumber in my AD. I > have tried adding them. The AD was supplyingids, however, as `id` as > a logged in user in Ubuntu shows: > `uid=385601105(myuser) gid=385600513(domain > users)groups=385600513(domain users)` > While systems using LDAP seem to be working with the new AD > controller,`wbinfo` is failing. For instance see below. The logs > linked are alldebug log level 5. > ```~$ net cache flush && wbinfo -i myuserfailed to call wbcGetpwnam: > WBC_ERR_DOMAIN_NOT_FOUNDCould not get info for user testing~$ net > cache flush && wbinfo -n myuserS-1-5-21-1057597257-2002501470- > 2521000767-1105 SID_USER (1)~$ net cache flush && wbinfo -s S-1-5-21- > 1057597257-2002501470-2521000767-1105CORP\myuser 1~$ net cache flush > && wbinfo --user-sidinfo S-1-5-21-1057597257-2002501470-2521000767- > 1105failed to call wbcGetpwsid: WBC_ERR_DOMAIN_NOT_FOUNDCould not get > info for user sid S-1-5-21-1057597257-2002501470-2521000767-1105``` > You can see from the output that I'm getting the errors that seem > tousually come from no gid/uid in objects. The logs show errors for > userlookup such as `NT_STATUS_NO_SUCH_USER`. I have tried hardcoding > in`uidNumber` and `gidNumber` into myuser and Domain Users with > `ldbedit`but no luck there. > Any help would be appreciated. > smb.conf: https://www.dropbox.com/s/iu2hx2q32fi851h/smb.conf.txt?dl=0 > wbinfo -i myuser log: > https://www.dropbox.com/s/zzb2ixlj41amu3v/wbinfo_-i_myuser.txt?dl=0 > wbinfo -n myuser log: > https://www.dropbox.com/s/dwpv6mz45su172k/wbinfo%20-n%20myuser.txt?dl=0 > wbinfo -s S-1-5-21-1057597257-2002501470-2521000767-1105 log: > https://www.dropbox.com/s/kd03sn39gf3whhj/wbinfo%20-s%20sid.txt?dl=0 > wbinfo -s S-1-5-21-1057597257-2002501470-2521000767-1105 log: > https://www.dropbox.com/s/1q1wfqbeg7bc63m/wbinfo_--user-sidinfo_sid.txt?dl=0 > > Thanks,Ben >Thanks, Ben