[Samba] Corrupted idmap...

[Rowland Penny]

On Fri, 13 Jan 2017 12:46:27 -0500
Ryan Ashley via samba <samba at lists.samba.org> wrote:

> OK, I noticed that also, but why does everything return
> NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U
> adminnamehere" on the DC itself, I get the error. At this point we are
> looking at erasing every workstation, wiping the DC, and starting from
> scratch. It has been a week and not even rolling back to 4.4 fixed it.
> What should my next steps be? I attached the server configuration file
> for reference. Note that it has run this way for a year without a
> hitch and nothing has been changed since day 1.
> 
> # Global parameters
> [global]
>         workgroup = TRUEVINE
>         realm = TRUEVINE.LAN
>         netbios name = DC01
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         idmap config *:backend = tdb
>         idmap config *:range = 2001-10000
>         idmap config TRUEVINE:backend = ad
>         idmap config TRUEVINE:schema_mode = rfc2307
>         idmap config TRUEVINE:range = 10001-20000
>         domain master = yes
>         local master = yes
>         preferred master = yes
>         os level = 255
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/truevine.lan/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 

Now I have seen your smb.conf, I think I can tell you why you are
getting 'NT_STATUS_INVALID_SID'

You have 'idmap config' lines, these do nothing on a DC, or rather they
did nothing until 4.5.0, now they cause errors, so I would remove them.
I would also remove the 'master' lines and the 'os' line.

When 4.6.0 comes out, it is my understanding that you will not have this
problem, Samba will flat out refuse to start if you have the idmap
lines in smb.conf ;-)

Rowland