Edson Tadeu Almeida da Silveira
2025-Feb-06 12:04 UTC
[Samba] Upgrade from 4.7 and Idmap check
> > 2- I the log.smbd: > > > > [2025/02/06 06:55:04.483261, 1, traceid=3] > > > > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i receive: > > > > ERROR(<class 'OSError'>): Could not access > > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable - > > [Errno 61] No data avaiable: > > '/usr/local/samba/var/locks/sysvol/mydom.local'> Are you running the command as root ?Yes, i ran as root.> > However, this directory does exist on the system: > > > > /usr/local/samba/var/locks/sysvol: > > drwxrwx---+ 3 3000008 MYDOM\domain admins 4096 Mar 9 2017 > > sysvol> Who is '3000008' ? it should be 'root' as below.uid=3000008(MYDOM\domain admins) gid=3000008(MYDOM\domain admins) groups=3000008(MYDOM\domain admins)> > 4 - When issue the command: 'samba-tool ntacl sysvolreset' i receive: > > > > idmap range not specified for domain '*' > > idmap range not specified for domain '*' > > idmap range not specified for domain '*' > > idmap range not specified for domain '*' > > idmap range not specified for domain '*'> But that doesn't, I have never seen that error when running > sysvolreset, perhaps you should post your entire DCs smb.conf file.> > # wbinfo --name-to-sid=12345678 > > S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)> Are you really using a number as a username ?Yes #-) It?s a corporate requirement.> > # wbinfo -a user%MYPASS > > plaintext password authentication succeeded > > challenge/response password authentication succeeded> What OS is this ?It?s an Ubuntu Server 24.04.1 This is my smb.conf: [global] interfaces = lo eth0 workgroup = MYDOM realm = MYDOM.LOCAL netbios name = HOSTNAME server role = active directory domain controller server services = -dns ldap server require strong auth = no ntlm auth = mschapv2-and-ntlmv2-only tls enabled = yes tls keyfile = tls/hostname.key.pem tls certfile = tls/hostname.cert.pem tls cafile allow dns updates = nonsecure eventlog list = Application System Security SyslogLinux rpc_server:spoolss = external rpc_daemon:spoolssd = fork printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd winbind enum users = yes winbind enum groups = yes winbind max clients = 4000 veto files = /*.inf/*.pif/*.lnk/*.{*}/ log level = 1 auth_audit:3 auth_json_audit:3 vfs objects = acl_xattr dfs_samba4 [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Em qui., 6 de fev. de 2025 ?s 08:30, Rowland Penny via samba < samba at lists.samba.org> escreveu:> On Thu, 6 Feb 2025 07:32:48 -0300 > Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org> wrote: > > > Good morning everybody. > > > > I searched the list here but I haven't found anything close to my > > problem yet. > > > > I'm using 2 DCs Samba 4.7 and now planning to upgrade to 4.21. > > So, not in a rush then, seeing as 4.7.x went EOL from the Samba point > of view nearly 6 years ago. > > > > > At some point I used the winbind configuration in smb.conf but, if I > > understand correctly, it seems that in newer versions, this > > configuration is not necessary in DC, so, i removed in this upgrade > > process: > > You should never have had any 'idmap config' lines in a Samba AD DCs > smb.conf > > > > > idmap_ldb:use rfc2307=yes > > idmap config *:backend = tdb > > idmap config *:range = 70001-80000 > > idmap config MYDOM:backend = ad > > idmap config MYDOM:schema_mode = rfc2307 > > idmap config MYDOM:range = 3000000-4000000 > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind max clients = 4000 > > > > Then. I simulated an inplace upgrade of samba from 4.7 to 4.21. > > Apparently everything went well in the test environment until now, > > but I noticed some details that I would like to know if this could be > > a problem and, if so, how I could solve it. > > > > 1 - In the log.winbindd: > > > > [2025/02/06 06:55:04.483261, 1, traceid=3] > > ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_ > > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > > [2025/02/06 06:57:17.530873, 1, traceid=7] > > ../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroup_recv_ > > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > > [2025/02/06 06:58:47.110201, 1, traceid=13] > > ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_ > > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > > I wouldn't worry about that, it is just stating a fact rather than an > error. > > > > > 2- I the log.smbd: > > > > [2025/02/06 06:55:04.483261, 1, traceid=3] > > > > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i receive: > > > > ERROR(<class 'OSError'>): Could not access > > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable - > > [Errno 61] No data avaiable: > > '/usr/local/samba/var/locks/sysvol/mydom.local' > > Are you running the command as root ? > > > > > However, this directory does exist on the system: > > > > /usr/local/samba/var/locks/sysvol: > > drwxrwx---+ 3 3000008 MYDOM\domain admins 4096 Mar 9 2017 > > sysvol > > Who is '3000008' ? it should be 'root' as below. > > > > > /usr/local/samba/var/locks/sysvol/mydom.local: > > drwxrwx---+ 4 root BUILTIN\administrators 4096 Nov 21 2017 > > mydom.local.local > > That looks correct ownership and permissions wise. > > > > > 4 - When issue the command: 'samba-tool ntacl sysvolreset' i receive: > > > > idmap range not specified for domain '*' > > idmap range not specified for domain '*' > > idmap range not specified for domain '*' > > idmap range not specified for domain '*' > > idmap range not specified for domain '*' > > But that doesn't, I have never seen that error when running > sysvolreset, perhaps you should post your entire DCs smb.conf file. > > > > > > > I did some tests: > > > > # wbinfo -i user > > MYDOM\user:*:3020070:100::/home/MYDOM/user:/bin/false > > > > # wbinfo --name-to-sid=12345678 > > S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1) > > Are you really using a number as a username ? > > > > > # wbinfo --uid-to-sid=3020070 > > S-1-5-21-1058002876-845724780-2777320708-32541 > > > > # wbinfo -a user%MYPASS > > plaintext password authentication succeeded > > challenge/response password authentication succeeded > > What OS is this ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- ------------------------------------------- Edson Tadeu Almeida Silveira http://sites.google.com/site/edsontadeu/ -------------------------------------------
On Thu, 6 Feb 2025 09:04:21 -0300 Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:> > > 2- I the log.smbd: > > > > > > [2025/02/06 06:55:04.483261, 1, traceid=3] > > > > > > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i > > > receive: > > > > > > ERROR(<class 'OSError'>): Could not access > > > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable > > > - [Errno 61] No data avaiable: > > > '/usr/local/samba/var/locks/sysvol/mydom.local' > > > Are you running the command as root ? > > Yes, i ran as root.Then why did you get the error ?> > > > > However, this directory does exist on the system: > > > > > > /usr/local/samba/var/locks/sysvol: > > > drwxrwx---+ 3 3000008 MYDOM\domain admins 4096 Mar 9 > > > 2017 sysvol > > > Who is '3000008' ? it should be 'root' as below. > > uid=3000008(MYDOM\domain admins) gid=3000008(MYDOM\domain admins) > groups=3000008(MYDOM\domain admins)As I said, it should be root, but even so, why is it showing '3000008' instead of 'MYDOM\domain admins' for the user, it is showing it for the group, have you given Domain Admins a gidNumber attribute ?> > > > > 4 - When issue the command: 'samba-tool ntacl sysvolreset' i > > > receive: > > > > > > idmap range not specified for domain '*' > > > idmap range not specified for domain '*' > > > idmap range not specified for domain '*' > > > idmap range not specified for domain '*' > > > idmap range not specified for domain '*' > > > But that doesn't, I have never seen that error when running > > sysvolreset, perhaps you should post your entire DCs smb.conf file. > > > > # wbinfo --name-to-sid=12345678 > > > S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1) > > > Are you really using a number as a username ? > > Yes #-) It?s a corporate requirement.What ever floats your boat ;-)> > > > > # wbinfo -a user%MYPASS > > > plaintext password authentication succeeded > > > challenge/response password authentication succeeded > > > What OS is this ? > > It?s an Ubuntu Server 24.04.1Why build Samba yourself, you can get the latest packages from here: http://www.corpit.ru/mjt/packages/samba/> > > This is my smb.conf: > > [global] > interfaces = lo eth0 > workgroup = MYDOM > realm = MYDOM.LOCAL > netbios name = HOSTNAME > server role = active directory domain controller > server services = -dns > > ldap server require strong auth = no > > ntlm auth = mschapv2-and-ntlmv2-only > > tls enabled = yes > tls keyfile = tls/hostname.key.pem > tls certfile = tls/hostname.cert.pem > tls cafile > > allow dns updates = nonsecure > > eventlog list = Application System Security SyslogLinux > > rpc_server:spoolss = external > rpc_daemon:spoolssd = fork > printcap name = /dev/null > load printers = no > disable spoolss = yes > printing = bsd > > winbind enum users = yes > winbind enum groups = yes > winbind max clients = 4000 > > veto files = /*.inf/*.pif/*.lnk/*.{*}/ > > log level = 1 auth_audit:3 auth_json_audit:3 > > vfs objects = acl_xattr dfs_samba4 > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = NoWhere did the 'netlogon' share go ? Rowland PS: Please do not 'CC' me.