samba - Mar 2024 - When accessing the User Properties only SIDs are shown instead of real name

On Thu, 21 Mar 2024 21:07:52 +0530
Anantha Raghava via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> We have Windows 10, 11, Server 2012R2, 2016, 2019 and 2022 as members
> in our network. The issue happens randomly on different machines and 
> different Windows OS. Find the smb.conf below.
> 
> # Global parameters [global] netbios name = PDC realm = XXXXXLTD.COM 
> server role = active directory domain controller workgroup > KTKBANKLTD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dns, dnsupdate workgroup = XXXXLTD 
> idmap_ldb:use rfc2307 = yes ldap server require strong auth = No
> allow dns updates = nonsecure tls priority >
NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 log level = 1 auth_audit:0
> auth_json_audit:3 dsdb_json_audit:5 log file = /var/log/samba/pdc.log
> max log size = 1000000000 [sysvol] path >
/usr/local/samba/var/locks/sysvol read only = No [netlogon] path >
/usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts read only > No Let
me know if you need additional information.
> 
> Thanks & Regards,
> 
When I said 'What OS', I meant the OS that you are running the AD DC
on, not the clients.

If your DC is really called 'PDC' then can I point out it isn't a
PDC,
that is something else entirely.

If you are going to sanitise a smb.conf, then I suggest you sanitise
everything.

Is your dns domain really just 'ktkbankltd.com' ? 
If it is, is that dns domain reachable from the internet ?

Is there any pattern to the non mapped SIDs ?

Can I also point out that you appear to have 'workgroup' twice.

Rowland

Hello Rowland

Samba is running on RHEL 8.9 (subscribed edition)

Domain is ktkbankltd.com and the work group is ktkbankltd. This is the 
AD domain, not reachable from internet.

We have 5 servers named pdc.ktkbankltd.com, dc1.ktkbankltd.com, 
dc2.ktkbankltd.com, dc3.ktkbankltd.com and dc4.ktkbankltd.com The name 
PDC is just the name, unlike NT4 domain. These servers were initially 
installed during 2016 and we started with Samba-AD 4.8, we are upgrading 
the versions over a period and currently we are using 4.18.1.

WORKGROUP entered twice - Thanks for notifying.

Pattern for non-mapped SIDs - There is no specific pattern. It may be 
user, or a group or a computer object. Interesting thing is, in most of 
the members it appears properly, However, we cannot say which member we 
face this problem. It appears randomly. Another important point to note 
- From the member which has this problem, when we try to access the 
shares using <ip-address>/share, it fails to open. However, when we 
access the same share using <hostname>/share, it works fine.

I confirm that we have not deleted any user or group or computer object 
from AD which may result in this particular problem. To think that this 
could be a DNS issue, it randomly appears in different clients and not all.

Any other pointer to get to the root here?

Thanks & Regards,

Anantha Raghava H A


DISCLAIMER:
This e-mail communication and any attachments may be privileged and 
confidential to Exza Technology Consulting & Services, Bangalore, and 
are intended only for the use of the recipients named above If you are 
not the addressee you may not copy, forward, disclose or use any part of 
it. If you have received this message in error, please delete it and all 
copies from your system and notify the sender immediately by return 
e-mail. Internet communications cannot be guaranteed to be timely, 
secure, error or virus-free. The sender does not accept liability for 
any errors or omissions.

Do not print this e-mail unless required. Save Paper & trees.


On 21/03/24 9:52 pm, Rowland Penny via samba wrote:
> On Thu, 21 Mar 2024 21:07:52 +0530
> Anantha Raghava via samba<samba at lists.samba.org>  wrote:
>
>> Hi,
>>
>> We have Windows 10, 11, Server 2012R2, 2016, 2019 and 2022 as members
>> in our network. The issue happens randomly on different machines and
>> different Windows OS. Find the smb.conf below.
>>
>> # Global parameters [global] netbios name = PDC realm = XXXXXLTD.COM
>> server role = active directory domain controller workgroup >>
KTKBANKLTD server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dns, dnsupdate workgroup = XXXXLTD
>> idmap_ldb:use rfc2307 = yes ldap server require strong auth = No
>> allow dns updates = nonsecure tls priority >>
NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 log level = 1 auth_audit:0
>> auth_json_audit:3 dsdb_json_audit:5 log file = /var/log/samba/pdc.log
>> max log size = 1000000000 [sysvol] path >>
/usr/local/samba/var/locks/sysvol read only = No [netlogon] path >>
/usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts read only >> No
Let me know if you need additional information.
>>
>> Thanks & Regards,
>>
> When I said 'What OS', I meant the OS that you are running the AD
DC
> on, not the clients.
>
> If your DC is really called 'PDC' then can I point out it isn't
a PDC,
> that is something else entirely.
>
> If you are going to sanitise a smb.conf, then I suggest you sanitise
> everything.
>
> Is your dns domain really just 'ktkbankltd.com' ?
> If it is, is that dns domain reachable from the internet ?
>
> Is there any pattern to the non mapped SIDs ?
>
> Can I also point out that you appear to have 'workgroup' twice.
>
> Rowland
>