[Samba] Replication and KCC problems on upgrade

Mike Ray mray at xes-inc.com
Thu Mar 14 22:25:27 UTC 2019 


----- On Mar 14, 2019, at 5:10 PM, samba samba at lists.samba.org wrote:

> On Thu, 14 Mar 2019 16:56:17 -0500 (CDT)
> Mike Ray <mray at xes-inc.com> wrote:
> 
>> ----- On Mar 1, 2019, at 9:20 AM, Mike Ray mray at xes-inc.com wrote:
>> 
>> > ----- On Mar 1, 2019, at 3:35 AM, samba samba at lists.samba.org
>> > wrote:
>> >> 
>> >> I wonder if this has anything to do with the 'you cannot upgrade
>> >> directly from 4.7.x to 4.9.x' bug ?
>> > 
>> > 
>> > I was not aware of this bug. Do you think I should scrap this
>> > upgrade and try again jumping like so? 4.0.6-12 -> 4.7 -> 4.8 -> 4.9
>> >   
>> 
>> Upgrading 4.0.6-12 -> 4.7 -> 4.8 -> 4.9 got me to 4.9 without any
>> replication/ldapcmp errors.
>> 
>> However, since 4.8, domain members using winbind are unable to ID
>> users.
>> 
>> wbinfo -u and wbinfo -g return just fine, but id does not. It seems
>> that it cannot resolve SIDs though:
>> 
>> wbinfo -S <sid>
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid <sid> to uid
>> 
>> 
>> 
>> My setup ran on 4.7 without issue.
> 
> Well it might have, but it isn't correct ;-)
> 
>> 
>> [global]
>>         netbios name = mray5
>>         realm = TEST.REALM
>>         workgroup = TEST
>>         preferred master = no
>>         security = ADS
>>         encrypt passwords = yes
>>         log level = 3
>>         log file = /var/log/samba/%I
>>         max log size = 50
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>>         winbind use default domain = Yes
>>         winbind nested groups = Yes
>>         winbind offline logon = Yes
>>         idmap config * : range = 3000 - 4000
>>         idmap config * : backend = tdb
>>         idmap config TEST : schema_mode = rfc2307
>>         idmap config TEST : backend = ad
>>         idmap config TEST : range = 9000 - 12000
> 
> Okay to here
> 
>>         idmap config TEST : readonly = yes
>>         idmap config TEST : default = yes
> 
> I don't recognise those two lines and they are not in 'man idmap_ad'
> 
>>         idmap cache time = 604800
>>         idmap negative cache time = 604800
>>         winbind cache time = 604800
>>         template shell = /bin/bash
>>         template homedir = /home/%U
>>         winbind nss info = rfc2307
> 
> The line above has been replaced by:
>        idmap config TEST : unix_nss_info = yes
> 
>>         usershare path =
> 
> Rowland
> 

I missed those changes in the upgrade notes.

I removed those two unknown lines and switched the "winbind nss info" to the new proper format.

After restarting winbind, I was able to ID users!

Thank you very much for the assistance!

More information about the samba mailing list