[Samba] Corrupted idmap...

Ryan Ashley ryana at reachtechfp.com
Sat Jan 14 16:17:57 UTC 2017 

Rowland, I commented out what you asked me to, no change.

# Global parameters
[global]
        workgroup = TRUEVINE
        realm = TRUEVINE.LAN
        netbios name = DC01
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbi$
#       idmap_ldb:use rfc2307 = yes
#       idmap config *:backend = tdb
#       idmap config *:range = 2001-10000
#       idmap config TRUEVINE:backend = ad
#       idmap config TRUEVINE:schema_mode = rfc2307
#       idmap config TRUEVINE:range = 10001-20000
#       domain master = yes
#       local master = yes
#       preferred master = yes
#       os level = 255

[netlogon]
        path = /var/lib/samba/sysvol/truevine.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Results:
root at dc01:~# nano -w /etc/samba/smb.conf
root at dc01:~# service samba4 stop
[ ok ] Stopping Samba AD DC daemon: samba.
root at dc01:~# service samba4 start
[ ok ] Starting Samba AD DC daemon: samba.
root at dc01:~# smbclient -L \\localhost -U administrator
Enter administrator's password:
session setup failed: NT_STATUS_INVALID_SID
root at dc01:~#

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/13/2017 01:07 PM, Rowland Penny via samba wrote:
> On Fri, 13 Jan 2017 12:46:27 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
>> OK, I noticed that also, but why does everything return
>> NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U
>> adminnamehere" on the DC itself, I get the error. At this point we are
>> looking at erasing every workstation, wiping the DC, and starting from
>> scratch. It has been a week and not even rolling back to 4.4 fixed it.
>> What should my next steps be? I attached the server configuration file
>> for reference. Note that it has run this way for a year without a
>> hitch and nothing has been changed since day 1.
>>
>> # Global parameters
>> [global]
>>         workgroup = TRUEVINE
>>         realm = TRUEVINE.LAN
>>         netbios name = DC01
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>         idmap_ldb:use rfc2307 = yes
>>         idmap config *:backend = tdb
>>         idmap config *:range = 2001-10000
>>         idmap config TRUEVINE:backend = ad
>>         idmap config TRUEVINE:schema_mode = rfc2307
>>         idmap config TRUEVINE:range = 10001-20000
>>         domain master = yes
>>         local master = yes
>>         preferred master = yes
>>         os level = 255
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/truevine.lan/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
> 
> Now I have seen your smb.conf, I think I can tell you why you are
> getting 'NT_STATUS_INVALID_SID'
> 
> You have 'idmap config' lines, these do nothing on a DC, or rather they
> did nothing until 4.5.0, now they cause errors, so I would remove them.
> I would also remove the 'master' lines and the 'os' line.
> 
> When 4.6.0 comes out, it is my understanding that you will not have this
> problem, Samba will flat out refuse to start if you have the idmap
> lines in smb.conf ;-)
> 
> Rowland
>  
>

More information about the samba mailing list