thr3ads.net - samba - [Samba] Upgrade from 4.7 and Idmap check [Feb 2025]

If this information is useful, please help other people find it:
Share via:

Edson Tadeu Almeida da Silveira

2025-Feb-06 10:32 UTC

[Samba] Upgrade from 4.7 and Idmap check

Good morning everybody.

I searched the list here but I haven't found anything close to my problem
yet.

I'm using 2 DCs Samba 4.7 and now planning to upgrade to 4.21.

At some point I used the winbind configuration in smb.conf but, if I
understand correctly, it seems that in newer versions, this configuration
is not necessary in DC, so, i removed in this upgrade process:

  idmap_ldb:use rfc2307=yes
  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config MYDOM:backend = ad
  idmap config MYDOM:schema_mode = rfc2307
  idmap config MYDOM:range = 3000000-4000000
  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  winbind max clients = 4000

Then. I simulated an inplace upgrade of samba from 4.7 to 4.21.
Apparently everything went well in the test environment until now, but I
noticed some details that I would like to know if this could be a problem
and, if so, how I could solve it.

1 -  In the log.winbindd:

 [2025/02/06 06:55:04.483261, 1, traceid=3]
../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_
    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
  [2025/02/06 06:57:17.530873, 1, traceid=7]
../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroup_recv_
    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
  [2025/02/06 06:58:47.110201, 1, traceid=13]
../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_
    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

2- I the log.smbd:

  [2025/02/06 06:55:04.483261, 1, traceid=3]

3 - When issue the command: 'samba-tool ntacl sysvolcheck' i receive:

  ERROR(<class 'OSError'>): Could not access
/usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable - [Errno
61] No data avaiable:  '/usr/local/samba/var/locks/sysvol/mydom.local'

However, this directory does exist on the system:

  /usr/local/samba/var/locks/sysvol:
  drwxrwx---+  3 3000008 MYDOM\domain admins    4096 Mar  9  2017 sysvol

  /usr/local/samba/var/locks/sysvol/mydom.local:
  drwxrwx---+ 4 root    BUILTIN\administrators 4096 Nov 21  2017
mydom.local.local

4 - When issue the command: 'samba-tool ntacl sysvolreset' i receive:

  idmap range not specified for domain '*'
  idmap range not specified for domain '*'
  idmap range not specified for domain '*'
  idmap range not specified for domain '*'
  idmap range not specified for domain '*'


I did some tests:

# wbinfo -i user
 MYDOM\user:*:3020070:100::/home/MYDOM/user:/bin/false

# wbinfo --name-to-sid=1833600
 S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)

# wbinfo --uid-to-sid=3020070
 S-1-5-21-1058002876-845724780-2777320708-32541

# wbinfo -a user%MYPASS
 plaintext password authentication succeeded
 challenge/response password authentication succeeded



Thanks!

Rowland Penny

2025-Feb-06 11:29 UTC

head link

[Samba] Upgrade from 4.7 and Idmap check

On Thu, 6 Feb 2025 07:32:48 -0300
Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org>
wrote:
> Good morning everybody.
> 
> I searched the list here but I haven't found anything close to my
> problem yet.
> 
> I'm using 2 DCs Samba 4.7 and now planning to upgrade to 4.21.
So, not in a rush then, seeing as 4.7.x went EOL from the Samba point
of view nearly 6 years ago.
> 
> At some point I used the winbind configuration in smb.conf but, if I
> understand correctly, it seems that in newer versions, this
> configuration is not necessary in DC, so, i removed in this upgrade
> process:
You should never have had any 'idmap config' lines in a Samba AD DCs
smb.conf
> 
>   idmap_ldb:use rfc2307=yes
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config MYDOM:backend = ad
>   idmap config MYDOM:schema_mode = rfc2307
>   idmap config MYDOM:range = 3000000-4000000
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind max clients = 4000
> 
> Then. I simulated an inplace upgrade of samba from 4.7 to 4.21.
> Apparently everything went well in the test environment until now,
> but I noticed some details that I would like to know if this could be
> a problem and, if so, how I could solve it.
> 
> 1 -  In the log.winbindd:
> 
>  [2025/02/06 06:55:04.483261, 1, traceid=3]
> ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_
>     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>   [2025/02/06 06:57:17.530873, 1, traceid=7]
> ../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroup_recv_
>     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>   [2025/02/06 06:58:47.110201, 1, traceid=13]
> ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_
>     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
I wouldn't worry about that, it is just stating a fact rather than an
error.
> 
> 2- I the log.smbd:
> 
>   [2025/02/06 06:55:04.483261, 1, traceid=3]
> 
> 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i
receive:
> 
>   ERROR(<class 'OSError'>): Could not access
> /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable -
> [Errno 61] No data avaiable:
> '/usr/local/samba/var/locks/sysvol/mydom.local'
Are you running the command as root ?
> 
> However, this directory does exist on the system:
> 
>   /usr/local/samba/var/locks/sysvol:
>   drwxrwx---+  3 3000008 MYDOM\domain admins    4096 Mar  9  2017
> sysvol
Who is '3000008' ? it should be 'root' as below.
> 
>   /usr/local/samba/var/locks/sysvol/mydom.local:
>   drwxrwx---+ 4 root    BUILTIN\administrators 4096 Nov 21  2017
> mydom.local.local
That looks correct ownership and permissions wise.
> 
> 4 - When issue the command: 'samba-tool ntacl sysvolreset' i
receive:
> 
>   idmap range not specified for domain '*'
>   idmap range not specified for domain '*'
>   idmap range not specified for domain '*'
>   idmap range not specified for domain '*'
>   idmap range not specified for domain '*'
But that doesn't, I have never seen that error when running
sysvolreset, perhaps you should post your entire DCs smb.conf file.
> 
> 
> I did some tests:
> 
> # wbinfo -i user
>  MYDOM\user:*:3020070:100::/home/MYDOM/user:/bin/false
> 
> # wbinfo --name-to-sid=1833600
>  S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)
Are you really using a number as a username ?
> 
> # wbinfo --uid-to-sid=3020070
>  S-1-5-21-1058002876-845724780-2777320708-32541
> 
> # wbinfo -a user%MYPASS
>  plaintext password authentication succeeded
>  challenge/response password authentication succeeded
What OS is this ?

Rowland

Reasonably Related Threads

Search for more possibly parallel threads

samba - Feb 2025 - Upgrade from 4.7 and Idmap check

[Samba] Upgrade from 4.7 and Idmap check

[Samba] Upgrade from 4.7 and Idmap check

Reasonably Related Threads