On Oracle Linux 9.6, Samba ver 4.21.3-5.el9 mapping fails after days or hours on multiple servers. First symptom is "wbinfo --getdcname MYCORP" starts failing with "Could not get dc name for MYCORP". Eventually when "wbinfo -S sid" returns "failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid to uid" the mapping fails too. Oddly, "wbinfo -n uid" still returns a valid SID. Servers still show joined to AD and wbinfo -u/g returns AD users/groups. wbinfo -t shows "checking the trust secret for domain MYCORP via RPC calls succeeded". Samba logs and tcpdumps not helping. AD is running on Windows. Below is our /etc/samba/smb.conf. This same smb.conf is still working on CentOS 7, Samba ver 4.10.16-25.el7. (Knock wood) [global] workgroup = MYCORP realm = MYCORP.AD.SOMETHING.COM<http://mycorp.ad.something.com/> security = ads kerberos method = system keytab log level = 8 max log size = 5000 log file = /var/log/samba/log.%h.%m template shell = /bin/bash idmap config MYCORP : range = 1000-2999999 idmap config MYCORP : backend = ad idmap config MYCORP : schema_mode = rfc2307 idmap config MYCORP : unix_primary_group = yes idmap config MYCORP : unix_nss_info = yes idmap config * : range = 3000000-39999999 idmap config * : backend = tdb winbind use default domain = yes winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no kpasswd port = 0 template homedir = /home/%U@%D # Put our shares here include = /somedirectory/custom.conf Thanks, Jim Brand This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the email, and destroy all copies.
On Thu, 7 Aug 2025 15:39:22 +0000 Jim Brand via samba <samba at lists.samba.org> wrote:> On Oracle Linux 9.6, Samba ver 4.21.3-5.el9 mapping fails after days > or hours on multiple servers. > > First symptom is "wbinfo --getdcname MYCORP" starts failing with > "Could not get dc name for MYCORP". Eventually when "wbinfo -S sid" > returns "failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could > not convert sid to uid" the mapping fails too. > > Oddly, "wbinfo -n uid" still returns a valid SID. Servers still show > joined to AD and wbinfo -u/g returns AD users/groups. wbinfo -t > shows "checking the trust secret for domain MYCORP via RPC calls > succeeded". Samba logs and tcpdumps not helping. AD is running on > Windows. > > Below is our /etc/samba/smb.conf. This same smb.conf is still > working on CentOS 7, Samba ver 4.10.16-25.el7. (Knock wood) > > [global] > workgroup = MYCORP > realm = MYCORP.AD.SOMETHING.COM<http://mycorp.ad.something.com/> > security = ads > kerberos method = system keytab > log level = 8 > max log size = 5000 > log file = /var/log/samba/log.%h.%m > template shell = /bin/bash > idmap config MYCORP : range = 1000-2999999 > idmap config MYCORP : backend = ad > idmap config MYCORP : schema_mode = rfc2307 > idmap config MYCORP : unix_primary_group = yes > idmap config MYCORP : unix_nss_info = yes > idmap config * : range = 3000000-39999999 > idmap config * : backend = tdb > winbind use default domain = yes > winbind refresh tickets = yes > winbind offline logon = yes > winbind enum groups = no > winbind enum users = no > kpasswd port = 0 > > template homedir = /home/%U@%D > > # Put our shares here > include = /somedirectory/custom.conf > > Thanks, Jim Brand > >Did this all start last patch Tuesday ? Microsoft released a patch that stopped the 'ad' idmap backend from working, Samba released a patch the day before, see here: https://wiki.samba.org/index.php/Samba_4.21_Features_added/changed#Important_Change_in_Upcoming_Microsoft_Update Rowland