Edson Tadeu Almeida da Silveira
2025-Feb-06 10:32 UTC
[Samba] Upgrade from 4.7 and Idmap check
Good morning everybody. I searched the list here but I haven't found anything close to my problem yet. I'm using 2 DCs Samba 4.7 and now planning to upgrade to 4.21. At some point I used the winbind configuration in smb.conf but, if I understand correctly, it seems that in newer versions, this configuration is not necessary in DC, so, i removed in this upgrade process: idmap_ldb:use rfc2307=yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config MYDOM:backend = ad idmap config MYDOM:schema_mode = rfc2307 idmap config MYDOM:range = 3000000-4000000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind max clients = 4000 Then. I simulated an inplace upgrade of samba from 4.7 to 4.21. Apparently everything went well in the test environment until now, but I noticed some details that I would like to know if this could be a problem and, if so, how I could solve it. 1 - In the log.winbindd: [2025/02/06 06:55:04.483261, 1, traceid=3] ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_ Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED [2025/02/06 06:57:17.530873, 1, traceid=7] ../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroup_recv_ Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED [2025/02/06 06:58:47.110201, 1, traceid=13] ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_ Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED 2- I the log.smbd: [2025/02/06 06:55:04.483261, 1, traceid=3] 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i receive: ERROR(<class 'OSError'>): Could not access /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable - [Errno 61] No data avaiable: '/usr/local/samba/var/locks/sysvol/mydom.local' However, this directory does exist on the system: /usr/local/samba/var/locks/sysvol: drwxrwx---+ 3 3000008 MYDOM\domain admins 4096 Mar 9 2017 sysvol /usr/local/samba/var/locks/sysvol/mydom.local: drwxrwx---+ 4 root BUILTIN\administrators 4096 Nov 21 2017 mydom.local.local 4 - When issue the command: 'samba-tool ntacl sysvolreset' i receive: idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' idmap range not specified for domain '*' I did some tests: # wbinfo -i user MYDOM\user:*:3020070:100::/home/MYDOM/user:/bin/false # wbinfo --name-to-sid=1833600 S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1) # wbinfo --uid-to-sid=3020070 S-1-5-21-1058002876-845724780-2777320708-32541 # wbinfo -a user%MYPASS plaintext password authentication succeeded challenge/response password authentication succeeded Thanks!
On Thu, 6 Feb 2025 07:32:48 -0300 Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org> wrote:> Good morning everybody. > > I searched the list here but I haven't found anything close to my > problem yet. > > I'm using 2 DCs Samba 4.7 and now planning to upgrade to 4.21.So, not in a rush then, seeing as 4.7.x went EOL from the Samba point of view nearly 6 years ago.> > At some point I used the winbind configuration in smb.conf but, if I > understand correctly, it seems that in newer versions, this > configuration is not necessary in DC, so, i removed in this upgrade > process:You should never have had any 'idmap config' lines in a Samba AD DCs smb.conf> > idmap_ldb:use rfc2307=yes > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config MYDOM:backend = ad > idmap config MYDOM:schema_mode = rfc2307 > idmap config MYDOM:range = 3000000-4000000 > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind max clients = 4000 > > Then. I simulated an inplace upgrade of samba from 4.7 to 4.21. > Apparently everything went well in the test environment until now, > but I noticed some details that I would like to know if this could be > a problem and, if so, how I could solve it. > > 1 - In the log.winbindd: > > [2025/02/06 06:55:04.483261, 1, traceid=3] > ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_ > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > [2025/02/06 06:57:17.530873, 1, traceid=7] > ../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroup_recv_ > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > [2025/02/06 06:58:47.110201, 1, traceid=13] > ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_ > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPEDI wouldn't worry about that, it is just stating a fact rather than an error.> > 2- I the log.smbd: > > [2025/02/06 06:55:04.483261, 1, traceid=3] > > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i receive: > > ERROR(<class 'OSError'>): Could not access > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable - > [Errno 61] No data avaiable: > '/usr/local/samba/var/locks/sysvol/mydom.local'Are you running the command as root ?> > However, this directory does exist on the system: > > /usr/local/samba/var/locks/sysvol: > drwxrwx---+ 3 3000008 MYDOM\domain admins 4096 Mar 9 2017 > sysvolWho is '3000008' ? it should be 'root' as below.> > /usr/local/samba/var/locks/sysvol/mydom.local: > drwxrwx---+ 4 root BUILTIN\administrators 4096 Nov 21 2017 > mydom.local.localThat looks correct ownership and permissions wise.> > 4 - When issue the command: 'samba-tool ntacl sysvolreset' i receive: > > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*' > idmap range not specified for domain '*'But that doesn't, I have never seen that error when running sysvolreset, perhaps you should post your entire DCs smb.conf file.> > > I did some tests: > > # wbinfo -i user > MYDOM\user:*:3020070:100::/home/MYDOM/user:/bin/false > > # wbinfo --name-to-sid=1833600 > S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)Are you really using a number as a username ?> > # wbinfo --uid-to-sid=3020070 > S-1-5-21-1058002876-845724780-2777320708-32541 > > # wbinfo -a user%MYPASS > plaintext password authentication succeeded > challenge/response password authentication succeededWhat OS is this ? Rowland