Dustin L. Howett
2025-Apr-23 18:00 UTC
[Samba] Fwd: Domain member fails to map SID>*ID after DC migrated from Server 2022 to 2025
On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba wrote:> On Tue, 22 Apr 2025 21:09:26 -0500 > Dustin Howett via samba <samba at lists.samba.org> wrote: > > > - On Server 2025, it returns a failure instead: > > NT_STATUS_NO_SUCH_DOMAIN > > > > It seems that your DC cannot be found, so for a start, can you post the > /etc/resolv.conf, /etc/krb5.conf and smb.conf from the client. >Thanks Rowland (and sorry for the stray Fwd in the subject.) Just to note before I get into my config files: wbinfo (et al) report that the DC is reachable in both cases. Other domain operations such as user enumeration also work. On both members (2022 lab and 2025 lab): (Note that due to the identical lab setup, the DC hostname is the same. **These machines are in isolated networks and cannot see eachother**.) -- 8< snip -- root at dom-test-member:~# wbinfo --ping-dc checking the NETLOGON for domain[DOMTEST] dc connection to "WIN-NAFS39H19IE.domtest.howett.net" succeeded root at dom-test-member:~# wbinfo -u DOMTEST\administrator DOMTEST\guest DOMTEST\krbtgt DOMTEST\dustin root at dom-test-member:~# --- root at dom2-test-member:~# wbinfo --ping-dc checking the NETLOGON for domain[DOMTEST] dc connection to "WIN-NAFS39H19IE.domtest.howett.net" succeeded root at dom2-test-member:~# wbinfo -u DOMTEST\administrator DOMTEST\guest DOMTEST\krbtgt DOMTEST\dustin root at dom2-test-member:~# -- 8< snip -- Here are the config files you've asked for. krb5.conf and smb.conf are almost identical (I will call out the change between the two with a diff below.). resolv.conf only differs because of the lab subnet. --- resolv.conf (member of working 2022 domain) --- domain domtest.howett.net. nameserver 192.168.1.2 --- resolv.conf (member of failing 2025 domain) --- domain domtest.howett.net. nameserver 192.168.2.2 --- krb5.conf (both, identical) --- [libdefaults] default_realm = DOMTEST.HOWETT.NET dns_lookup_realm = false dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true rdns = false fcc-mit-ticketflags = true --- smb.conf --- [global] log file = /var/log/samba/log.%m logging = file log level = 10 map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d realm = DOMTEST.HOWETT.NET server role = member server unix password sync = Yes usershare allow guests = Yes workgroup = DOMTEST idmap config * : backend = tdb idmap config * : range = 1000-9999 idmap config domtest:backend = ad idmap config domtest:schema_mode = rfc2307 idmap config domtest:range = 500-599 idmap config domtest:unix_nss_info = yes [homes] browseable = No comment = Home Directories create mask = 0700 directory mask = 0700 valid users = %S [printers] browseable = No comment = All Printers create mask = 0700 path = /var/tmp printable = Yes [print$] comment = Printer Drivers path = /var/lib/samba/printers --- smb.conf diff from 2022 member to 2025 member --- --- smb.conf.2022 2025-04-23 12:53:13.842606909 -0500 +++ smb.conf.2025 2025-04-23 12:53:32.766556304 -0500 @@ -5,6 +5,7 @@ log level = 10 map to guest = Bad User max log size = 1000 + netbios name = DOM2MEM obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d Thanks, d
Rowland Penny
2025-Apr-24 07:25 UTC
[Samba] Fwd: Domain member fails to map SID>*ID after DC migrated from Server 2022 to 2025
On Wed, 23 Apr 2025 13:00:46 -0500 "Dustin L. Howett via samba" <samba at lists.samba.org> wrote:> On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba > wrote: > > On Tue, 22 Apr 2025 21:09:26 -0500 > > Dustin Howett via samba <samba at lists.samba.org> wrote: > > > > > - On Server 2025, it returns a failure instead: > > > NT_STATUS_NO_SUCH_DOMAIN > > > > > > > It seems that your DC cannot be found, so for a start, can you post > > the /etc/resolv.conf, /etc/krb5.conf and smb.conf from the client. > > > > Thanks Rowland (and sorry for the stray Fwd in the subject.) > > Just to note before I get into my config files: wbinfo (et al) report > that the DC is reachable in both cases. Other domain operations such > as user enumeration also work. > > On both members (2022 lab and 2025 lab): > > (Note that due to the identical lab setup, the DC hostname is the > same. **These machines are in isolated networks and cannot see > eachother**.) > > -- 8< snip -- > > root at dom-test-member:~# wbinfo --ping-dc > checking the NETLOGON for domain[DOMTEST] dc connection to > "WIN-NAFS39H19IE.domtest.howett.net" succeeded > root at dom-test-member:~# wbinfo -u DOMTEST\administrator > DOMTEST\guest > DOMTEST\krbtgt > DOMTEST\dustin > root at dom-test-member:~# > > --- > > root at dom2-test-member:~# wbinfo --ping-dc > checking the NETLOGON for domain[DOMTEST] dc connection to > "WIN-NAFS39H19IE.domtest.howett.net" succeeded > root at dom2-test-member:~# wbinfo -u DOMTEST\administrator > DOMTEST\guest > DOMTEST\krbtgt > DOMTEST\dustin > root at dom2-test-member:~# > > -- 8< snip -- > > Here are the config files you've asked for. > krb5.conf and smb.conf are almost identical (I will call out the > change between the two with a diff below.). resolv.conf only differs > because of the lab subnet. > > --- resolv.conf (member of working 2022 domain) --- > domain domtest.howett.net. > nameserver 192.168.1.2 > > --- resolv.conf (member of failing 2025 domain) --- > domain domtest.howett.net. > nameserver 192.168.2.2 > > --- krb5.conf (both, identical) --- > [libdefaults] > default_realm = DOMTEST.HOWETT.NET > dns_lookup_realm = false > dns_lookup_kdc = true > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > rdns = false > fcc-mit-ticketflags = true >Try this one instead: [libdefaults] default_realm = DOMTEST.HOWETT.NET dns_lookup_realm = false dns_lookup_kdc = true [realms] DOMTEST.HOWETT.NET = { default_domain = domtest.howett.net } [domain_realm] YOUR_COMPUTERS_SHORT_HOSTNAME_IN_UPPERCASE = DOMTEST.HOWETT.NET Making the obvious change.> --- smb.conf --- > > [global] > log file = /var/log/samba/log.%m > logging = file > log level = 10 > map to guest = Bad UserWhy do you have that set ? You do not seem to have 'guest ok' or 'public' in any shares.> max log size = 1000 > obey pam restrictions = Yes > pam password change = Yes > panic action = /usr/share/samba/panic-action %d > realm = DOMTEST.HOWETT.NET > server role = member server > unix password sync = YesWhy 'unix password sync' ? you shouldn't have any users both in /etc/passwd and AD.> usershare allow guests = Yes > workgroup = DOMTEST > idmap config * : backend = tdb > idmap config * : range = 1000-9999 > idmap config domtest:backend = ad > idmap config domtest:schema_mode = rfc2307 > idmap config domtest:range = 500-599 > idmap config domtest:unix_nss_info = yesWhy such low numbers ? was this domain classic upgraded from an NT4-style domain ? Rowland