[Samba] Warning messages when provisioning an ADDC

Ralph Boehme slow at samba.org
Fri Feb 5 11:06:33 UTC 2021


Am 2/5/21 um 11:54 AM schrieb Thomas Geppert via samba:
> I've installed and provisioned a Samba ADDC in an unprivileged Linux
> container. The details can be found in my post "Samba AD DC in an
> unprivileged lxc revisited".

...which was a fĺabbergasting read! Well done, albeit I fear there are 
still some problem due to the idmapping issue you're seeing.

> The ADDC seems to work properly but there is one detail that still bothers
> me. In the output of samba-tool were the following warnings:
> INFO 2021-02-02 19:51:42,853 pid:942
> /usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py
> #1592: Setting up self join
> Repacking database from v1 to v2 format (first record
> CN=dhcp-Properties,CN=Schema,CN=Configuration,DC=....,DC=....,DC=....)
> Repack: re-packed 10000 records so far
> Repacking database from v1 to v2 format (first record
> CN=mSMQMigratedUser-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC=
> ....,DC=....,DC=....)
> Repacking database from v1 to v2 format (first record
> CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP
> Security,CN=System,DC=.....,DC=....,DC=....)map_smb4_to_nfs4_id: Unknown gid
> [30000]
> map_smb4_to_nfs4_id: Unknown gid [30001]
> map_smb4_to_nfs4_id: Unknown gid [30002]
> ....
> map_smb4_to_nfs4_id: Unknown gid [30003]
> map_smb4_to_nfs4_id: Unknown gid [30007]
> INFO 2021-02-02 19:51:45,498 pid:942
> /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py
> #1143: Adding DNS accounts
> INFO 2021-02-02 19:51:45,517 pid:942
> /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py
> #1177: Creating
> CN=MicrosoftDNS,CN=System,DC=....,DC=....,DC=....
> 
> Can someone shed a light on what's causing these "Unknown gid" messages and
> what it could mean for the operation of the ADDC ?

the module does a getgrgid() call on those ids and apparently nsswitch 
doesn't know about those ids. Do you have winbind in nsswitch.conf? 
Fwiw, I have no idea if that is sensible on an AD DC... :)

Having said that, when the mapping fails the full NT ACL will not be 
stored correctly, so this likely means your AD DC setup is screwed. What 
does samba-tool ntacl sysvolcheck/sysvolreset have to say on this?

Cheers!
-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210205/be6b55a2/OpenPGP_signature.sig>


More information about the samba mailing list