[Samba] Warning messages when provisioning an ADDC

Rowland penny rpenny at samba.org
Fri Feb 5 11:39:50 UTC 2021 

On 05/02/2021 11:06, Ralph Boehme via samba wrote:
> Am 2/5/21 um 11:54 AM schrieb Thomas Geppert via samba:
>> I've installed and provisioned a Samba ADDC in an unprivileged Linux
>> container. The details can be found in my post "Samba AD DC in an
>> unprivileged lxc revisited".
>
> ...which was a fĺabbergasting read! Well done, albeit I fear there are 
> still some problem due to the idmapping issue you're seeing.
>
>> The ADDC seems to work properly but there is one detail that still 
>> bothers
>> me. In the output of samba-tool were the following warnings:
>> INFO 2021-02-02 19:51:42,853 pid:942
>> /usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py
>> #1592: Setting up self join
>> Repacking database from v1 to v2 format (first record
>> CN=dhcp-Properties,CN=Schema,CN=Configuration,DC=....,DC=....,DC=....)
>> Repack: re-packed 10000 records so far
>> Repacking database from v1 to v2 format (first record
>> CN=mSMQMigratedUser-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC= 
>>
>> ....,DC=....,DC=....)
>> Repacking database from v1 to v2 format (first record
>> CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP
>> Security,CN=System,DC=.....,DC=....,DC=....)map_smb4_to_nfs4_id: 
>> Unknown gid
>> [30000]
>> map_smb4_to_nfs4_id: Unknown gid [30001]
>> map_smb4_to_nfs4_id: Unknown gid [30002]
>> ....
>> map_smb4_to_nfs4_id: Unknown gid [30003]
>> map_smb4_to_nfs4_id: Unknown gid [30007]
>> INFO 2021-02-02 19:51:45,498 pid:942
>> /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py
>> #1143: Adding DNS accounts
>> INFO 2021-02-02 19:51:45,517 pid:942
>> /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py
>> #1177: Creating
>> CN=MicrosoftDNS,CN=System,DC=....,DC=....,DC=....
>>
>> Can someone shed a light on what's causing these "Unknown gid" 
>> messages and
>> what it could mean for the operation of the ADDC ?
>
> the module does a getgrgid() call on those ids and apparently nsswitch 
> doesn't know about those ids. Do you have winbind in nsswitch.conf? 
> Fwiw, I have no idea if that is sensible on an AD DC... :)


Whilst it isn't recommended to use a DC for other than authentication, 
you can set winbind in the passwd & group lines in /etc/nsswitch. 
However these numbers are appearing during a provision and surely at 
this point all the ID numbers are in the '3000000' range, so where are 
the '30000' numbers coming from ?

Rowland

More information about the samba mailing list