[Samba] nt4/sssd to AD/winbind migration fail

Mon Jan 18 22:11:12 UTC 2021

I had an LMDE2 NT4 domain member using Samba 4.2.x with SSSD.  I 
upgraded LMDE to version 3 then 4 which brings me up to Samba 4.9.5, as 
LMDE4 is based on Debian Buster.  All SSSD packages were purged, as well 
as a Heimdal kerberos package.  I attempted to add Louis' repo, but when 
the dist-upgrade was run, the process wanted to remove a GUI text editor 
that I didn't want to lose; therefore, I stayed at 4.9.5.

The issue I am having is that samba is still seeing the old domain, 
causing it to ignore my idmap_ad range for the domain and giving users a 
value in the built-in range.  In fact, testparm tells me that I have an 
invalid domain range for the new domain:

idmap range not specified for domain 'old_domain'
ERROR: Invalid idmap range for domain WORKGROUP!

These ranges work perfectly well is a previously migrated Debian server.

I followed the wiki and successfully did all the tests as I went along.  
The old tdb files were removed where told.  I've compared the configs to 
an already migrated Debian Bullseye running Samba 4.13.3, and they match up.

LMDE4 uses resolvconf, which was handled by editing the file 
/etc/resolvconf/resolv.conf.d/base to contain the lines normally found 
in /etc/resolv.conf.  It appears to be working, as the output of Louis' 
debug info script shows correct resolv.conf values as generated by 
resolvconf.

I've run out of ideas as to where the old domain information is hiding.

One last thing - when I ran pam-auth-update to add kerberos 
authentication to PAM, I noticed there are a lot more values in the 
output when compared to command-line Debian.

Both have the lines:

Kerberos authentication
Unix authentication
Winbind NT/Active Directory authentication
Register user sessions in the systemd control group
Create home directory on login

LMDE4 has the extra lines of:

GNOME Keyring Daemon - Login Keyring management
eCryptfs Key/Mount Management
Inheritable Capabilities Management

Since I don't know what it does, could the Keyring Daemon be harboring 
old domain information?

For completeness, the output of Louis' debug info script is posted 
below.  Any input would be greatly appreciated.

Thanks,
Dale

Collected config --- 2021-01-18-14:35 -----------

Hostname: lmde4
DNS Domain: workgroup.realm.tld
FQDN: lmde4.workgroup.realm.tld
ipaddress: 192.168.0.15 -----------
Kerberos SRV _kerberos._tcp.workgroup.realm.tld record verified ok, 
sample output: Server: 192.168.0.7
Address: 192.168.0.7#53

_kerberos._tcp.workgroup.realm.tld service = 0 100 88 
dc1.workgroup.realm.tld.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="LMDE 4 (debbie)"
NAME="LMDE"
VERSION_ID="4"
VERSION="4 (debbie)"
ID=linuxmint
ID_LIKE=debian
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.linuxmint.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=debbie
DEBIAN_CODENAME=buster
-----------

This computer is running LMDE 4 Debbie x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 
1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fc:aa:14:e2:81:df brd ff:ff:ff:ff:ff:ff
inet 192.168.0.15/24 brd 192.168.0.255 scope global noprefixroute eth0
inet6 fe80::feaa:14ff:fee2:81df/64 scope link noprefixroute -----------
Checking file: /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.15 lmde4.workgroup.realm.tld lmde4

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
-----------
Checking file: /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.7
search workgroup.realm.tld
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = WORKGROUP.REALM.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files winbind
group: files winbind
shadow: files
gshadow: files

hosts: files dns
networks: file dns

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# 01/18/2021

[global]
workgroup = WORKGROUP
netbios name = LMDE4
security = ADS
realm = WORKGROUP.REALM.TLD
username map = /etc/samba/users.map

# Winbind
winbind refresh tickets = Yes
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind offline logon = Yes
winbind expand groups = 2

# Permissions
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

# Disable printing
load printers = No
printing = bsd
printcap name = /dev/null
disable spoolss = Yes

# Logging
log file = /var/log/samba/%m.log
log level = 1
#log level = 1 auth:10 sam:3
max log size = 1000

# My additions
#map to guest = Bad User
#name resolve order = wins host bcast
#panic action = /usr/share/samba/panic-action %d
hosts allow = 192.168.0., 127.
veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
admin users = user1, user2, group1

# Winbind ID mapping backend - AD
# Built-in
idmap config * : backend = tdb
idmap config * : range = 2000-2999
# Domain
idmap config WORKGROUP : backend = ad
idmap config WORKGROUP : schema_mode = rfc2307
idmap config WORKGROUP : range = 3000-9999
idmap config WORKGROUP : unix_nss_info = Yes

[homes]
comment = Home Directories
path = /home/workgroup/%U
inherit owner = Yes
admin users = user1, group1, group2
read only = No
create mask = 0700
directory mask = 0700
browseable = No

[websites]
comment = Website creation
path = /var/www/html
read only = No
valid users = user1, group1
admin users = user1, group1
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/users.map
# Unix Name = NT Name
!root = WORKGROUP\Administrator
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control list - utilities
ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended 
attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all internationalization support for MIT 
Kerberos
ii krb5-user 1.17-3+deb10u1 amd64 basic programs to authenticate using 
MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared 
library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime 
libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime 
libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba nameservice 
integration plugins
ii libpam-krb5:amd64 4.8-2+deb10u1 amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Windows domain 
authentication integration plugin
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 shared library for 
communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba winbind client 
library
ii python-attr 18.2.0-1 all Attributes without boilerplate (Python 2)
ii python-characteristic 14.3.0-2 all helper for implementing 
attribute-related object protocols (Python 2)
ii python-nacl 1.3.0-2 amd64 Python bindings to libsodium (Python 2)
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python bindings for Samba
ii python3-nacl 1.3.0-2 amd64 Python bindings to libsodium (Python 3)
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file, print, and login 
server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files used by both the 
Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common files used 
by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Directory 
Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Virtual 
FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 command-line SMB/CIFS clients 
for Unix
ii virtualbox-6.1 6.1.16-140961~Debian~buster amd64 Oracle VM VirtualBox
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve user and 
group information from Windows NT servers
-----------