[Samba] Warning messages when provisioning an ADDC

Thomas Geppert t.geppert at t-online.de
Fri Feb 5 14:45:13 UTC 2021

Thank you guys for looking at this.

On 05/02/2021 11:39, Rowland penny via samba wrote:
> However these numbers are appearing during a provision and surely at 
> this point all the ID numbers are in the '3000000' range, so where are 
> the '30000' numbers coming from ?

Sorry, I didn't tell the whole story. To fit the uids and gids into the default mapping range of an unprivileged container I also had to set
lowerBound: 30000
upperBound: 65533
in idmap_init.ldif
I didn't want to enlarge the allowed mapping range for the Linux container because I wont have that many uids and gids. 

On 05/02/2021 11:06, Ralph Boehme via samba wrote:
> the module does a getgrgid() call on those ids and apparently nsswitch doesn't know about those ids. Do you have winbind in nsswitch.conf? 
> Fwiw, I have no idea if that is sensible on an AD DC... :)
> Having said that, when the mapping fails the full NT ACL will not be stored correctly, so this likely means your AD DC setup is screwed. What does samba-tool ntacl sysvolcheck/sysvolreset have to say on this?

"samba-tool ntacl sysvolcheck" did throw an exception:
ERROR(<class 'TypeError'>): uncaught exception - (61, 'No data available')
  File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py", line 446, in run
  File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line 1885, in checksysvolacl
    fsacl = getntacl(lp, dir_path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/ntacls.py", line 121, in getntacl

and "samba-tool ntacl sysvolreset" issued the same "Unknown gid" warnings as the provisioning script.
However, after adding winbind to the passwd and group entries in /etc/nsswitch.conf the sysvolreset completes without any messages but the sysvolcheck is still not happy and throws the exception.

The error message seems to indicate that it's expecting to find a NTACL where there is none. Any idea why ?


More information about the samba mailing list