[Samba] migrating NT-style domain SID-error

Mon May 14 15:37:23 UTC 2018

Hello,

after migrating a samba NT-style domain from Samba 4.2.14-debian (debian
8.10) to samba 4.5.12-debian (debian 9.4)
We copied all tdb-files to the new machine plus the smb.conf plus
/etc/group. The old Samba has tdbsam as backend.
we use the same domain and hostname on the new DC as it was set on the
old system.
We are using bind9 as DNS-backend in the new system.
The "samba-tool clasicupgrade" was running without errormessages. DNS
ist running. We can resolve all host- and
service-records. We get a list of all users and groups with "wbinfo -u"
and "wbinfo -g". We changed nsswitch.conf
to:
---------
passwd:         compat winbind
group:          compat winbind
---------
The package libnss-winbind and libpam-winbind are installed, but we got
no output with "getent passwd <user>".
Then we tried:
------------
root at addc:~# wbinfo -n user
S-1-5-21-2513443738-1937210514-736184894-1173 SID_USER (1)

root at addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-1173
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2513443738-1937210514-736184894-1173 to uid
------------
As you can see it is not possible to get a UID for a migrated user. Then
we tested the same with the users krbtgt and
administrator and we got the following result:
-----------
root at addc:~# wbinfo -n krbtgt
S-1-5-21-2513443738-1937210514-736184894-502 SID_USER (1)

root at addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-502
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2513443738-1937210514-736184894-502 to uid

root at addc:~# wbinfo -n administrator
S-1-5-21-2513443738-1937210514-736184894-500 SID_US

root at addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-500
0
-----------

We could not get an output from "smbclient -L hostname" we got the
following errormessage:
----------
root at addc:~# smbclient -L addc
Enter root's password:
session setup failed: NT_STATUS_INVALID_SID
----------
With a higer debug-level we got the follwing message ad the end:
----------
root at addc:~# smbclient -L addc -d 10
.
.
.
SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID

----------

Then we checked the local sid for the DC and get the following result:
----------
root at addc:~# net getlocalsid
Can't fetch domain SID for name: ADDC
----------

But we get the domain-SID:
----------
root at addc:~# net getdomainsid
SID for domain EXAMPLE is: S-1-5-21-2513443738-1937210514-736184894
----------

What we found:
In secrets.tdb (old Samba) is the hostname of the PDC different to the
hostname given by the command "hostname". We checked
with "net getlocalsid" the sid on the old system and got exactly the
same result as we got on the new Samba4-ADDC.
I think that someone has changed the hostname and created the problem.
Then we took the old hostname (the one we found in
secrets.tdb) as the new hostname and NetBIOS-Name and try to migrate,
but with the same result :-(.

Any hint what we can do or where we could look. Setting up a new domain
can't be the solution, to many users to many hosts
and to many profiles on windows-clients.

Thanks for any usefull help

Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180514/dcfb2b23/signature.sig>