[Samba] Corrupted idmap...
Rowland Penny
rpenny at samba.org
Sat Jan 14 16:40:06 UTC 2017
On Sat, 14 Jan 2017 11:17:57 -0500
Ryan Ashley via samba <samba at lists.samba.org> wrote:
> Rowland, I commented out what you asked me to, no change.
>
> # Global parameters
> [global]
> workgroup = TRUEVINE
> realm = TRUEVINE.LAN
> netbios name = DC01
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbi$
> # idmap_ldb:use rfc2307 = yes
> # idmap config *:backend = tdb
> # idmap config *:range = 2001-10000
> # idmap config TRUEVINE:backend = ad
> # idmap config TRUEVINE:schema_mode = rfc2307
> # idmap config TRUEVINE:range = 10001-20000
> # domain master = yes
> # local master = yes
> # preferred master = yes
> # os level = 255
>
> [netlogon]
> path = /var/lib/samba/sysvol/truevine.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> Results:
> root at dc01:~# nano -w /etc/samba/smb.conf
> root at dc01:~# service samba4 stop
> [ ok ] Stopping Samba AD DC daemon: samba.
> root at dc01:~# service samba4 start
> [ ok ] Starting Samba AD DC daemon: samba.
> root at dc01:~# smbclient -L \\localhost -U administrator
> Enter administrator's password:
> session setup failed: NT_STATUS_INVALID_SID
> root at dc01:~#
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 01/13/2017 01:07 PM, Rowland Penny via samba wrote:
> > On Fri, 13 Jan 2017 12:46:27 -0500
> > Ryan Ashley via samba <samba at lists.samba.org> wrote:
> >
> >> OK, I noticed that also, but why does everything return
> >> NT_STATUS_INVALID_SID? Even if I run "smbclient -L \\localhost -U
> >> adminnamehere" on the DC itself, I get the error. At this point we
> >> are looking at erasing every workstation, wiping the DC, and
> >> starting from scratch. It has been a week and not even rolling
> >> back to 4.4 fixed it. What should my next steps be? I attached the
> >> server configuration file for reference. Note that it has run this
> >> way for a year without a hitch and nothing has been changed since
> >> day 1.
> >>
> >> # Global parameters
> >> [global]
> >> workgroup = TRUEVINE
> >> realm = TRUEVINE.LAN
> >> netbios name = DC01
> >> server role = active directory domain controller
> >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc, dnsupdate
> >> idmap_ldb:use rfc2307 = yes
> >> idmap config *:backend = tdb
> >> idmap config *:range = 2001-10000
> >> idmap config TRUEVINE:backend = ad
> >> idmap config TRUEVINE:schema_mode = rfc2307
> >> idmap config TRUEVINE:range = 10001-20000
> >> domain master = yes
> >> local master = yes
> >> preferred master = yes
> >> os level = 255
> >>
> >> [netlogon]
> >> path = /var/lib/samba/sysvol/truevine.lan/scripts
> >> read only = No
> >>
> >> [sysvol]
> >> path = /var/lib/samba/sysvol
> >> read only = No
> >>
> >
> > Now I have seen your smb.conf, I think I can tell you why you are
> > getting 'NT_STATUS_INVALID_SID'
> >
> > You have 'idmap config' lines, these do nothing on a DC, or rather
> > they did nothing until 4.5.0, now they cause errors, so I would
> > remove them. I would also remove the 'master' lines and the 'os'
> > line.
> >
> > When 4.6.0 comes out, it is my understanding that you will not have
> > this problem, Samba will flat out refuse to start if you have the
> > idmap lines in smb.conf ;-)
> >
> > Rowland
> >
> >
>
Put 'idmap_ldb:use rfc2307 = yes' back, you need it, the idmap lines I
was referring to, start with 'idmap config'
Run 'net cache flush'
Ensure the libnss_winbind links exist, the 'passwd' & 'group' lines
in /etc/nsswitch.conf contain 'winbind' and PAM is set up correctly.
It may also help if you restart the DC
Rowland
More information about the samba
mailing list