samba - Apr 2025 - Fwd: Domain member fails to map SID>*ID after DC migrated from Server 2022 to 2025

On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba
wrote:
> On Tue, 22 Apr 2025 21:09:26 -0500
> Dustin Howett via samba <samba at lists.samba.org> wrote:
> 
> > - On Server 2025, it returns a failure instead:
> > NT_STATUS_NO_SUCH_DOMAIN
> > 
> 
> It seems that your DC cannot be found, so for a start, can you post the
> /etc/resolv.conf, /etc/krb5.conf and smb.conf from the client.
> 
Thanks Rowland (and sorry for the stray Fwd in the subject.)

Just to note before I get into my config files: wbinfo (et al) report
that the DC is reachable in both cases. Other domain operations such as
user enumeration also work.

On both members (2022 lab and 2025 lab):

(Note that due to the identical lab setup, the DC hostname is the same.
**These machines are in isolated networks and cannot see eachother**.)

-- 8< snip --

root at dom-test-member:~# wbinfo --ping-dc
checking the NETLOGON for domain[DOMTEST] dc connection to
"WIN-NAFS39H19IE.domtest.howett.net" succeeded
root at dom-test-member:~# wbinfo -u
DOMTEST\administrator
DOMTEST\guest
DOMTEST\krbtgt
DOMTEST\dustin
root at dom-test-member:~# 

---

root at dom2-test-member:~# wbinfo --ping-dc
checking the NETLOGON for domain[DOMTEST] dc connection to
"WIN-NAFS39H19IE.domtest.howett.net" succeeded
root at dom2-test-member:~# wbinfo -u
DOMTEST\administrator
DOMTEST\guest
DOMTEST\krbtgt
DOMTEST\dustin
root at dom2-test-member:~# 

-- 8< snip --

Here are the config files you've asked for.
krb5.conf and smb.conf are almost identical (I will call out the change
between the two with a diff below.). resolv.conf only differs because of
the lab subnet.

--- resolv.conf (member of working 2022 domain) ---
domain domtest.howett.net.
nameserver 192.168.1.2

--- resolv.conf (member of failing 2025 domain) ---
domain domtest.howett.net.
nameserver 192.168.2.2

--- krb5.conf (both, identical) ---
[libdefaults]
        default_realm = DOMTEST.HOWETT.NET
        dns_lookup_realm = false
        dns_lookup_kdc = true
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        rdns = false
        fcc-mit-ticketflags = true

--- smb.conf ---

[global]
	log file = /var/log/samba/log.%m
	logging = file
	log level = 10
	map to guest = Bad User
	max log size = 1000
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	realm = DOMTEST.HOWETT.NET
	server role = member server
	unix password sync = Yes
	usershare allow guests = Yes
	workgroup = DOMTEST
	idmap config * : backend = tdb
	idmap config * : range = 1000-9999
	idmap config domtest:backend = ad
	idmap config domtest:schema_mode = rfc2307
	idmap config domtest:range = 500-599
	idmap config domtest:unix_nss_info = yes

[homes]
	browseable = No
	comment = Home Directories
	create mask = 0700
	directory mask = 0700
	valid users = %S

[printers]
	browseable = No
	comment = All Printers
	create mask = 0700
	path = /var/tmp
	printable = Yes

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

--- smb.conf diff from 2022 member to 2025 member ---

--- smb.conf.2022       2025-04-23 12:53:13.842606909 -0500
+++ smb.conf.2025       2025-04-23 12:53:32.766556304 -0500
@@ -5,6 +5,7 @@
        log level = 10
        map to guest = Bad User
        max log size = 1000
+       netbios name = DOM2MEM
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d

Thanks,
d

On Wed, 23 Apr 2025 13:00:46 -0500
"Dustin L. Howett via samba" <samba at lists.samba.org> wrote:
> On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba
> wrote:
> > On Tue, 22 Apr 2025 21:09:26 -0500
> > Dustin Howett via samba <samba at lists.samba.org> wrote:
> > 
> > > - On Server 2025, it returns a failure instead:
> > > NT_STATUS_NO_SUCH_DOMAIN
> > > 
> > 
> > It seems that your DC cannot be found, so for a start, can you post
> > the /etc/resolv.conf, /etc/krb5.conf and smb.conf from the client.
> > 
> 
> Thanks Rowland (and sorry for the stray Fwd in the subject.)
> 
> Just to note before I get into my config files: wbinfo (et al) report
> that the DC is reachable in both cases. Other domain operations such
> as user enumeration also work.
> 
> On both members (2022 lab and 2025 lab):
> 
> (Note that due to the identical lab setup, the DC hostname is the
> same. **These machines are in isolated networks and cannot see
> eachother**.)
> 
> -- 8< snip --
> 
> root at dom-test-member:~# wbinfo --ping-dc
> checking the NETLOGON for domain[DOMTEST] dc connection to
> "WIN-NAFS39H19IE.domtest.howett.net" succeeded
> root at dom-test-member:~# wbinfo -u DOMTEST\administrator
> DOMTEST\guest
> DOMTEST\krbtgt
> DOMTEST\dustin
> root at dom-test-member:~# 
> 
> ---
> 
> root at dom2-test-member:~# wbinfo --ping-dc
> checking the NETLOGON for domain[DOMTEST] dc connection to
> "WIN-NAFS39H19IE.domtest.howett.net" succeeded
> root at dom2-test-member:~# wbinfo -u DOMTEST\administrator
> DOMTEST\guest
> DOMTEST\krbtgt
> DOMTEST\dustin
> root at dom2-test-member:~# 
> 
> -- 8< snip --
> 
> Here are the config files you've asked for.
> krb5.conf and smb.conf are almost identical (I will call out the
> change between the two with a diff below.). resolv.conf only differs
> because of the lab subnet.
> 
> --- resolv.conf (member of working 2022 domain) ---
> domain domtest.howett.net.
> nameserver 192.168.1.2
> 
> --- resolv.conf (member of failing 2025 domain) ---
> domain domtest.howett.net.
> nameserver 192.168.2.2
> 
> --- krb5.conf (both, identical) ---
> [libdefaults]
>         default_realm = DOMTEST.HOWETT.NET
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>         rdns = false
>         fcc-mit-ticketflags = true
> 
Try this one instead:

[libdefaults]
	default_realm = DOMTEST.HOWETT.NET
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
	DOMTEST.HOWETT.NET = {
		default_domain = domtest.howett.net
	}

[domain_realm]
	YOUR_COMPUTERS_SHORT_HOSTNAME_IN_UPPERCASE = DOMTEST.HOWETT.NET

Making the obvious change.
> --- smb.conf ---
> 
> [global]
> 	log file = /var/log/samba/log.%m
> 	logging = file
> 	log level = 10
> 	map to guest = Bad User
Why do you have that set ? You do not seem to have 'guest ok' or
'public' in any shares.
> 	max log size = 1000
> 	obey pam restrictions = Yes
> 	pam password change = Yes
> 	panic action = /usr/share/samba/panic-action %d
> 	realm = DOMTEST.HOWETT.NET
> 	server role = member server
> 	unix password sync = Yes
Why 'unix password sync' ? you shouldn't have any users both in
/etc/passwd and AD.
> 	usershare allow guests = Yes
> 	workgroup = DOMTEST
> 	idmap config * : backend = tdb
> 	idmap config * : range = 1000-9999
> 	idmap config domtest:backend = ad
> 	idmap config domtest:schema_mode = rfc2307
> 	idmap config domtest:range = 500-599
> 	idmap config domtest:unix_nss_info = yes
Why such low numbers ? was this domain classic upgraded from an
NT4-style domain ?

Rowland