[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC

Waishon waishon009 at gmail.com
Fri Aug 24 20:06:01 UTC 2018


Hi,

thanks for your suggestions. Do you think this is causes the stacktrace
above? . I just added "REALM" as a placeholder and it worked on a DC that
was provisioned using Samba 4.7.3 and upgraded afterwards to Samba 4.8.4
absolutely fine with this config and the command "samba-tool ntacl get
/srv/profiles" returns the correct ACLs of this directory.

When I interprete this correctly it seems that the Fileserver is unable to
find the DomainSID. Normally the command "ntacl get" should return the ACLs
and not that stacktrace, should'nt it :).

Thanks in advance!

Am Freitag, 24. August 2018 schrieb Rowland Penny via samba :

> On Fri, 24 Aug 2018 21:07:54 +0200
> Waishon via samba <samba at lists.samba.org> wrote:
>
> > If it's imported here's the DC-Provision log too:
> >
> > service-samba-dc                      | Looking up IPv4 addresses
> > service-samba-dc                      | More than one IPv4 address
> > found. Using 192.168.188.2
> > service-samba-dc                      | Looking up IPv6 addresses
> > service-samba-dc                      | No IPv6 address will be
> > assigned service-samba-dc                      | Setting up share.ldb
> > service-samba-dc                      | Setting up secrets.ldb
> > service-samba-dc                      | Setting up the registry
> > service-samba-dc                      | Setting up the privileges
> > database service-samba-dc                      | Setting up idmap db
> > service-samba-dc                      | Setting up SAM db
> > service-samba-dc                      | Setting up sam.ldb partitions
> > and settings
> > service-samba-dc                      | Setting up sam.ldb rootDSE
> > service-samba-dc                      | Pre-loading the Samba 4 and
> > AD schema service-samba-dc                      | Unable to determine
> > the DomainSID, can not enforce uniqueness constraint on local
> > domainSIDs service-samba-dc                      |
> > service-samba-dc                      | Adding DomainDN:
> > DC=subdomain,DC=domain,DC=de
> > service-samba-dc                      | Adding configuration container
> > service-samba-dc                      | Setting up sam.ldb schema
> > service-samba-dc                      | Setting up sam.ldb
> > configuration data service-samba-dc                      | Setting up
> > display specifiers service-samba-dc                      | Modifying
> > display specifiers and extended rights
> > service-samba-dc                      | Adding users container
> > service-samba-dc                      | Modifying users container
> > service-samba-dc                      | Adding computers container
> > service-samba-dc                      | Modifying computers container
> > service-samba-dc                      | Setting up sam.ldb data
> > service-samba-dc                      | Setting up well known security
> > principals
> > service-samba-dc                      | Setting up sam.ldb users and
> > groups service-samba-dc                      | Setting up self join
> > service-samba-dc                      | Adding DNS accounts
> > service-samba-dc                      | Creating
> > CN=MicrosoftDNS,CN=System,DC=subdomain,DC=domain,DC=de
> > service-samba-dc                      | Creating DomainDnsZones and
> > ForestDnsZones partitions
> > service-samba-dc                      | Populating DomainDnsZones and
> > ForestDnsZones partitions
> > service-samba-dc                      | Setting up sam.ldb rootDSE
> > marking as synchronized
> > service-samba-dc                      | Fixing provision GUIDs
> > service-samba-dc                      | A Kerberos configuration
> > suitable for Samba AD has been generated at
> > /var/lib/samba/private/krb5.conf
> > service-samba-dc                      | Merge the contents of this
> > file with your system krb5.conf or replace it with this one. Do not
> > create a symlink!
> > service-samba-dc                      | Setting up fake yp server
> > settings service-samba-dc                      | Once the above files
> > are installed, your Samba AD server will be ready to use
> > service-samba-dc                      | Server Role:           active
> > directory domain controller
> > service-samba-dc                      | Hostname:              DC-1
> > service-samba-dc                      | NetBIOS Domain:        REALM
> > service-samba-dc                      | DNS Domain:
> > subdomain.domain.de
> > service-samba-dc                      | DOMAIN SID:
> > S-1-5-21-2386618402-376715021-633914752
> >
> >
> > 2018-08-24 20:54 GMT+02:00, Waishon <waishon009 at gmail.com>:
> > > Hello,
> > >
> > > I'm trying to join a samba-fileserver to a 4.8.4 Domain Controller.
> > > Both are installed from the Debian Unstable Sources.
> > > I've setup some scripts that allows me to provision the latest
> > > samba-version for testing purposes on two VMs. The following
> > > configs where working absolutly fine when provisioning a Samba-DC
> > > version 4.7.3 and I was able to do profile roaming, but since the
> > > DC is version 4.8.4 the following error occours:
> > >
> > > After provisioning the samba-dc as described in the Samba-Wiki I
> > > installed the samba-fileserver on a seperate VM and tried to join
> > > it to the DC using "net ads join <REALM>". That works absolutly
> > > fine and wbinfo --ping-dc is able to reach the DC. The SID -> UID
> > > Mapping using nsswitch also works without any problems.
> > >
> > > [global]
> > > security = ADS
> > > workgroup = schule
> > > realm = subdomain.domain.de
> > > log file = /var/log/samba/%m.log
> > > log level = 1
> > > idmap config * : backend = tdb
> > > idmap config * : range = 3000-7999
> > > idmap config schule : backend = rid
> > > idmap config schule : range = 100000-200000
> > > winbind nss info = template
> > > template shell = /bin/bash
> > > template homedir = /home/%U
> > > username map = /etc/samba/user.map
> > >
> > > Now I set up a Share for Windows Profile Roaming:
> > > [Profiles]
> > > comment = User profiles
> > > path = /srv/profiles
> > > read only = no
> > > store dos attributes = Yes
> > > guest ok = no
> > > browseable = Yes
> > > create mask = 0600
> > > directory mask = 0700
> > > csc policy = disable
> > > valid users = @"Realm\Domain Users"
> > > oplocks = no
> > >
>
> Try this, instead of yours:
>
> [Profiles]
> comment = User profiles
> path = /srv/profiles
> read only = no
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> csc policy = disable
> valid users = @"SCHULE\Domain Users"
> oplocks = no
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list