[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC

Rowland Penny rpenny at samba.org
Fri Aug 24 19:31:41 UTC 2018 

On Fri, 24 Aug 2018 21:07:54 +0200
Waishon via samba <samba at lists.samba.org> wrote:

> If it's imported here's the DC-Provision log too:
> 
> service-samba-dc                      | Looking up IPv4 addresses
> service-samba-dc                      | More than one IPv4 address
> found. Using 192.168.188.2
> service-samba-dc                      | Looking up IPv6 addresses
> service-samba-dc                      | No IPv6 address will be
> assigned service-samba-dc                      | Setting up share.ldb
> service-samba-dc                      | Setting up secrets.ldb
> service-samba-dc                      | Setting up the registry
> service-samba-dc                      | Setting up the privileges
> database service-samba-dc                      | Setting up idmap db
> service-samba-dc                      | Setting up SAM db
> service-samba-dc                      | Setting up sam.ldb partitions
> and settings
> service-samba-dc                      | Setting up sam.ldb rootDSE
> service-samba-dc                      | Pre-loading the Samba 4 and
> AD schema service-samba-dc                      | Unable to determine
> the DomainSID, can not enforce uniqueness constraint on local
> domainSIDs service-samba-dc                      |
> service-samba-dc                      | Adding DomainDN:
> DC=subdomain,DC=domain,DC=de
> service-samba-dc                      | Adding configuration container
> service-samba-dc                      | Setting up sam.ldb schema
> service-samba-dc                      | Setting up sam.ldb
> configuration data service-samba-dc                      | Setting up
> display specifiers service-samba-dc                      | Modifying
> display specifiers and extended rights
> service-samba-dc                      | Adding users container
> service-samba-dc                      | Modifying users container
> service-samba-dc                      | Adding computers container
> service-samba-dc                      | Modifying computers container
> service-samba-dc                      | Setting up sam.ldb data
> service-samba-dc                      | Setting up well known security
> principals
> service-samba-dc                      | Setting up sam.ldb users and
> groups service-samba-dc                      | Setting up self join
> service-samba-dc                      | Adding DNS accounts
> service-samba-dc                      | Creating
> CN=MicrosoftDNS,CN=System,DC=subdomain,DC=domain,DC=de
> service-samba-dc                      | Creating DomainDnsZones and
> ForestDnsZones partitions
> service-samba-dc                      | Populating DomainDnsZones and
> ForestDnsZones partitions
> service-samba-dc                      | Setting up sam.ldb rootDSE
> marking as synchronized
> service-samba-dc                      | Fixing provision GUIDs
> service-samba-dc                      | A Kerberos configuration
> suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.conf
> service-samba-dc                      | Merge the contents of this
> file with your system krb5.conf or replace it with this one. Do not
> create a symlink!
> service-samba-dc                      | Setting up fake yp server
> settings service-samba-dc                      | Once the above files
> are installed, your Samba AD server will be ready to use
> service-samba-dc                      | Server Role:           active
> directory domain controller
> service-samba-dc                      | Hostname:              DC-1
> service-samba-dc                      | NetBIOS Domain:        REALM
> service-samba-dc                      | DNS Domain:
> subdomain.domain.de
> service-samba-dc                      | DOMAIN SID:
> S-1-5-21-2386618402-376715021-633914752
> 
> 
> 2018-08-24 20:54 GMT+02:00, Waishon <waishon009 at gmail.com>:
> > Hello,
> >
> > I'm trying to join a samba-fileserver to a 4.8.4 Domain Controller.
> > Both are installed from the Debian Unstable Sources.
> > I've setup some scripts that allows me to provision the latest
> > samba-version for testing purposes on two VMs. The following
> > configs where working absolutly fine when provisioning a Samba-DC
> > version 4.7.3 and I was able to do profile roaming, but since the
> > DC is version 4.8.4 the following error occours:
> >
> > After provisioning the samba-dc as described in the Samba-Wiki I
> > installed the samba-fileserver on a seperate VM and tried to join
> > it to the DC using "net ads join <REALM>". That works absolutly
> > fine and wbinfo --ping-dc is able to reach the DC. The SID -> UID
> > Mapping using nsswitch also works without any problems.
> >
> > [global]
> > security = ADS
> > workgroup = schule
> > realm = subdomain.domain.de
> > log file = /var/log/samba/%m.log
> > log level = 1
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config schule : backend = rid
> > idmap config schule : range = 100000-200000
> > winbind nss info = template
> > template shell = /bin/bash
> > template homedir = /home/%U
> > username map = /etc/samba/user.map
> >
> > Now I set up a Share for Windows Profile Roaming:
> > [Profiles]
> > comment = User profiles
> > path = /srv/profiles
> > read only = no
> > store dos attributes = Yes
> > guest ok = no
> > browseable = Yes
> > create mask = 0600
> > directory mask = 0700
> > csc policy = disable
> > valid users = @"Realm\Domain Users"
> > oplocks = no
> >

Try this, instead of yours:

[Profiles]
comment = User profiles
path = /srv/profiles
read only = no
store dos attributes = Yes
create mask = 0600
directory mask = 0700
csc policy = disable
valid users = @"SCHULE\Domain Users"
oplocks = no

More information about the samba mailing list