[Samba] Replication and KCC problems on upgrade
mray at xes-inc.com
Thu Mar 14 22:25:27 UTC 2019
----- On Mar 14, 2019, at 5:10 PM, samba samba at lists.samba.org wrote:
> On Thu, 14 Mar 2019 16:56:17 -0500 (CDT)
> Mike Ray <mray at xes-inc.com> wrote:
>> ----- On Mar 1, 2019, at 9:20 AM, Mike Ray mray at xes-inc.com wrote:
>> > ----- On Mar 1, 2019, at 3:35 AM, samba samba at lists.samba.org
>> > wrote:
>> >> I wonder if this has anything to do with the 'you cannot upgrade
>> >> directly from 4.7.x to 4.9.x' bug ?
>> > I was not aware of this bug. Do you think I should scrap this
>> > upgrade and try again jumping like so? 4.0.6-12 -> 4.7 -> 4.8 -> 4.9
>> Upgrading 4.0.6-12 -> 4.7 -> 4.8 -> 4.9 got me to 4.9 without any
>> replication/ldapcmp errors.
>> However, since 4.8, domain members using winbind are unable to ID
>> wbinfo -u and wbinfo -g return just fine, but id does not. It seems
>> that it cannot resolve SIDs though:
>> wbinfo -S <sid>
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid <sid> to uid
>> My setup ran on 4.7 without issue.
> Well it might have, but it isn't correct ;-)
>> netbios name = mray5
>> realm = TEST.REALM
>> workgroup = TEST
>> preferred master = no
>> security = ADS
>> encrypt passwords = yes
>> log level = 3
>> log file = /var/log/samba/%I
>> max log size = 50
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind nested groups = Yes
>> winbind offline logon = Yes
>> idmap config * : range = 3000 - 4000
>> idmap config * : backend = tdb
>> idmap config TEST : schema_mode = rfc2307
>> idmap config TEST : backend = ad
>> idmap config TEST : range = 9000 - 12000
> Okay to here
>> idmap config TEST : readonly = yes
>> idmap config TEST : default = yes
> I don't recognise those two lines and they are not in 'man idmap_ad'
>> idmap cache time = 604800
>> idmap negative cache time = 604800
>> winbind cache time = 604800
>> template shell = /bin/bash
>> template homedir = /home/%U
>> winbind nss info = rfc2307
> The line above has been replaced by:
> idmap config TEST : unix_nss_info = yes
>> usershare path =
I missed those changes in the upgrade notes.
I removed those two unknown lines and switched the "winbind nss info" to the new proper format.
After restarting winbind, I was able to ID users!
Thank you very much for the assistance!
More information about the samba