samba - Sep 2023 - Cant connect to AD member

Hello,
I have setup a Samba AD-DC qand a member server. all debian12.

When I try to connect from windows client to dc1 all is fine.
The same machine can't connect to member server.

[global]
    workgroup = NET
    security = ADS
    realm = NET.EXAMPLE.DE

    log file = /var/log/samba/%m.log
    log level = 1

    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    #dedicated keytab file = /etc/krb5.keytab
    #kerberos method = secrets and keytab

    winbind use default domain = yes

    # Default ID mapping configuration for local BUILTIN accounts
    # and groups on a domain member. The default (*) domain:
    # - must not overlap with any domain ID mapping configuration!
    # - must use an read-write-enabled back end, such as tdb.
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    # idmap config for the NET domain
    idmap config NET:backend = ad
    idmap config NET:schema_mode = rfc2307
    idmap config NET:range = 10000-999999
    idmap config NET:unix_nss_info = yes

     # fix dfs error's in log ?
     host msdfs = no

    dns proxy = no
    log file = /var/log/samba/log.%m
    max log size = 10000
    panic action = /usr/share/samba/panic-action %d

    map to guest = bad user

#======================= Share Definitions ======================....

root at fs:~# smbclient -N  -L \\localhost

	Sharename       Type      Comment
	---------       ----      -------
	praxis          Disk
	dagmar          Disk
	thomas          Disk
	iustest         Disk
	IPC$            IPC       IPC Service (Samba 4.17.10-Debian)
SMB1 disabled -- no workgroup available
root at fs:~#

wbinfo -u works
getent passwd username works

smbclient from a other linux machine works.


root at fs:~# net rpc rights list -U Administrator -S fs
Password for [NET\Administrator]:
Could not connect to server fs
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
root at fs:~#



Sep 04 16:32:22 fs smbd[713]: [2023/09/04 16:32:22.778684,  0] 
../../source3/auth/auth_util.c:1927(check_account)
Sep 04 16:32:22 fs smbd[713]:   check_account: Failed to convert SID 
S-1-5-21-2233635944-4000802713-2790315286-500 to a UID 
(dom_user[NET\administrator])


Windows say: error 0x8004005

smbclient from test linux to fs works also.


I have no idea anymore whats is wrong here.

On Mon, 4 Sep 2023 16:39:39 +0200
basti via samba <samba at lists.samba.org> wrote:
> Hello,
> I have setup a Samba AD-DC qand a member server. all debian12.
> 
> When I try to connect from windows client to dc1 all is fine.
> The same machine can't connect to member server.
> 
> [global]
>     workgroup = NET
>     security = ADS
>     realm = NET.EXAMPLE.DE
> 
>     log file = /var/log/samba/%m.log
>     log level = 1
> 
>     winbind refresh tickets = Yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> 
>     #dedicated keytab file = /etc/krb5.keytab
>     #kerberos method = secrets and keytab
> 
>     winbind use default domain = yes
> 
>     # Default ID mapping configuration for local BUILTIN accounts
>     # and groups on a domain member. The default (*) domain:
>     # - must not overlap with any domain ID mapping configuration!
>     # - must use an read-write-enabled back end, such as tdb.
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     # idmap config for the NET domain
>     idmap config NET:backend = ad
>     idmap config NET:schema_mode = rfc2307
>     idmap config NET:range = 10000-999999
>     idmap config NET:unix_nss_info = yes
> 
>      # fix dfs error's in log ?
>      host msdfs = no
> 
>     dns proxy = no
>     log file = /var/log/samba/log.%m
>     max log size = 10000
>     panic action = /usr/share/samba/panic-action %d
> 
>     map to guest = bad user
> 
> #======================= Share Definitions ======================> ....
> 
> root at fs:~# smbclient -N  -L \\localhost
> 
> 	Sharename       Type      Comment
> 	---------       ----      -------
> 	praxis          Disk
> 	dagmar          Disk
> 	thomas          Disk
> 	iustest         Disk
> 	IPC$            IPC       IPC Service (Samba 4.17.10-Debian)
> SMB1 disabled -- no workgroup available
> root at fs:~#
> 
> wbinfo -u works
> getent passwd username works
> 
> smbclient from a other linux machine works.
> 
> 
> root at fs:~# net rpc rights list -U Administrator -S fs
> Password for [NET\Administrator]:
> Could not connect to server fs
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> root at fs:~#
> 
> 
> 
> Sep 04 16:32:22 fs smbd[713]: [2023/09/04 16:32:22.778684,  0] 
> ../../source3/auth/auth_util.c:1927(check_account)
> Sep 04 16:32:22 fs smbd[713]:   check_account: Failed to convert SID 
> S-1-5-21-2233635944-4000802713-2790315286-500 to a UID 
> (dom_user[NET\administrator])
> 
> 
> Windows say: error 0x8004005
> 
> smbclient from test linux to fs works also.
> 
> 
> I have no idea anymore whats is wrong here.
> 
Try adding 'min domain uid = 0' to '[global]' on the member
server,
restart Samba or reload the config. The RID '500' is Administrators RID.

Rowland