samba - Apr 2025 - Fwd: Domain member fails to map SID>*ID after DC migrated from Server 2022 to 2025

On Wed, Apr 23, 2025 at 05:57:04PM +0000, Dustin L. Howett via samba
wrote:
> On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba wrote:
> > On Tue, 22 Apr 2025 21:09:26 -0500
> > Dustin Howett via samba <samba at lists.samba.org> wrote:
> > 
> > > - On Server 2025, it returns a failure instead:
> > > NT_STATUS_NO_SUCH_DOMAIN
> > > 
FWIW, I think this is down to a difference in handling NetGetAnyDCName
on Windows Server 2025 compared to 2022.

On 2025, I see this in netlogon.log (nltest /dbflag:ffffffff):

+ 04/23 20:00:38 [CRITICAL] [2268] DOMTEST: NetrGetAnyDCName: domtest: No such
trusted domain

... which matches up with a log entry in log.winbindd-DOMTEST

+ [2025/04/24 01:00:39.489494, 10, pid=694, effective(0, 0), real(0, 0),
class=rpc_cli] ../../source3/rpc_client/cli_pipe.c:1028(rpc_api_pipe_got_pdu)
+   rpc_api_pipe: host WIN-NAFS39H19IE.domtest.howett.net returned 8 bytes.
+ [2025/04/24 01:00:39.489502,  1, pid=694, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:490(ndr_print_function_debug)
+        netr_GetAnyDCName: struct netr_GetAnyDCName
+           out: struct netr_GetAnyDCName
+               dcname                   : *
+                   dcname                   : NULL
+               result                   : WERR_NO_SUCH_DOMAIN

Curiously, it looks like the MS-NRPC docs for NetGetAnyDCName say this:

+ If the server that receives this call is the PDC for the domain specified in
DomainName,
+ the server MUST return ERROR_NO_SUCH_DOMAIN.
+
+
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3db726ac-0d1b-43be-bd6f-923d97768436

I only have the one server, and it is the PDC.
A strict read suggests that NO_SUCH_DOMAIN is correct here.

Is Server 2025 acting as documented and causing Samba some heartburn?

On Wed, 23 Apr 2025 20:08:00 -0500
"Dustin L. Howett via samba" <samba at lists.samba.org> wrote:
> On Wed, Apr 23, 2025 at 05:57:04PM +0000, Dustin L. Howett via samba
> wrote:
> > On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba
> > wrote:
> > > On Tue, 22 Apr 2025 21:09:26 -0500
> > > Dustin Howett via samba <samba at lists.samba.org> wrote:
> > > 
> > > > - On Server 2025, it returns a failure instead:
> > > > NT_STATUS_NO_SUCH_DOMAIN
> > > > 
> 
> FWIW, I think this is down to a difference in handling NetGetAnyDCName
> on Windows Server 2025 compared to 2022.
> 
> On 2025, I see this in netlogon.log (nltest /dbflag:ffffffff):
> 
> + 04/23 20:00:38 [CRITICAL] [2268] DOMTEST: NetrGetAnyDCName:
> domtest: No such trusted domain
> 
> ... which matches up with a log entry in log.winbindd-DOMTEST
> 
> + [2025/04/24 01:00:39.489494, 10, pid=694, effective(0, 0), real(0,
> 0), class=rpc_cli]
> ../../source3/rpc_client/cli_pipe.c:1028(rpc_api_pipe_got_pdu)
> +   rpc_api_pipe: host WIN-NAFS39H19IE.domtest.howett.net returned 8
> bytes.
> + [2025/04/24 01:00:39.489502,  1, pid=694, effective(0, 0), real(0,
> 0), class=rpc_parse]
> ../../librpc/ndr/ndr.c:490(ndr_print_function_debug)
> +        netr_GetAnyDCName: struct netr_GetAnyDCName
> +           out: struct netr_GetAnyDCName
> +               dcname                   : *
> +                   dcname                   : NULL
> +               result                   : WERR_NO_SUCH_DOMAIN
> 
> Curiously, it looks like the MS-NRPC docs for NetGetAnyDCName say
> this:
> 
> + If the server that receives this call is the PDC for the domain
> specified in DomainName,
> + the server MUST return ERROR_NO_SUCH_DOMAIN.
> +
> +
>
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3db726ac-0d1b-43be-bd6f-923d97768436
> 
> I only have the one server, and it is the PDC.
The only thing wrong with that statement is that it is, in my opinion,
wrong.
There is no such thing as a PDC in AD, yes there is the PDC_Emulator
FSMO role, but in AD without any NT4 domain members, it is meaningless.
> A strict read suggests that NO_SUCH_DOMAIN is correct here.
Not sure, some of Microsofts documentation is pretty vague, this is
probably one of them, whatever else the computer that holds the
PDC_emulator role is, it is a DC and as such should be able to return
the NetBIOS domain name.

Rowland
> 
> Is Server 2025 acting as documented and causing Samba some heartburn?
>