[Samba] canonicalize_connect_path failed for service

Rowland Penny rpenny at samba.org
Mon Apr 23 10:48:11 UTC 2018

On Mon, 23 Apr 2018 20:09:50 +1000
Rob Thoman <emailthomasrob at gmail.com> wrote:

> Hi Rowland,
> We did the classicupgrade. Post the classicupgrade, we added a Windows
> 2008R2 server and dcpomo'd it.  The original Samba box (classic DC)

It is the 'classic DC' that is throwing me, do you mean the original
PDC, or are you referring to the Samba AD DC that .classicupgrade'
produces ? if it is a PDC, then yes, turn it off or turn it into a Unix
domain member. If it is a Samba AD DC, then please stop using the term
'classic DC' because it is confusing.

> was where we did the classicupgrade.  Did you mean that we need to
> shut that box down? Leaving a Windows DC  (FSMO?) and Samba member
> server? Sorry I was not aware of this step.  What if we hadn't added
> a Windows 08 box?

A Samba AD DC is just an AD DC, just as a Windows AD DC is just an AD

I have reorganised the [global] part of your smb.conf and added

# Global parameters
       netbios name = CDR-FS01
       security = ADS
       workgroup = CDR
       realm = CDR.INTERNAL

       winbind use default domain = yes
       winbind enum users = yes
       winbind enum groups = yes

You do not need the above two lines, they do two things:
They make 'getent passwd' & 'getent group' show all records, this isn't
They slow things down.

       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
       idmap config CDR:backend = ad
       idmap config CDR:schema_mode = rfc2307
       idmap config CDR:range = 5000-6000

The ranges cannot overlap.
Do your users & groups have uidNumber & gidNumber attributes
containing numbers inside the '3000-7999' or '5000-6000' ranges ?
Based on what the user & group numbers are, will give you what the
range for 'CDR' should be. The '*' domain is for the Well Known SIDS
and anything outside the 'CDR' domain.

Also the 'idmap config' lines for 'CDR' may be incorrect, depending on
what version of Samba you are using, can I suggest you read this wiki

        log level = 2 auth:5
        log file = /var/log/samba/sambalog.%m
        logon script = %U.bat

You don't use 'logon script' with AD, you just put the script in


More information about the samba mailing list