[Samba] Samba 4.17.2 and winbind issues

Leszek Szczepanowski twinsen at mspanc.net
Thu Dec 8 09:11:19 UTC 2022 

I have corrected my smb.conf to this:

[root at fs01 lszczepa]# net conf list
[global]
        logging = syslog
        clustering = yes
        security = ads
        realm = XXX.YYY.ZZZ
        map acl inherit = yes
        workgroup = XXX
        kerberos method = secrets and keytab
        idmap config * : backend = tdb
        ctdb:registry.tdb = yes
        netbios name = FS
        idmap config toronto : backend = rid
        idmap config * : range = 1000-7999
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        dedicated keytab file = /etc/krb5.keytab
        log level = 3
        password server = 172.16.32.5
        idmap config toronto : range = 10000-199999

[symptoms]
        read only = no
        inherit acls = yes
        guest ok = no
        browseable = yes
        path = /mnt/glusterfs/symptoms/


Now all works correctly, also I was making some odd mistake :) I was doing
this:

smbclient ////localhost//symptoms -U lszczepa

instead of this:

smbclient \\\\fs\\symptoms -U lszczepa

Sorry for making a mess :) Now logging in and mapping is OK.

śr., 7 gru 2022 o 17:27 Rowland Penny via samba <samba at lists.samba.org>
napisał(a):

>
>
> On 07/12/2022 16:00, Leszek Szczepanowski via samba wrote:
> > I was using Samba 4.16, all was ok.
> > My clustered Samba is joined to AD domain, all was working.
> > By mistake I updated servers to Samba 4.17.2
> > Now, just on winbind start, I'm receiving this:
> >
> > [root at fs01 samba]# net ads testjoin
> > Join is OK
> > Dec 07 16:41:30 fs01.ams.optiva.com winbindd[82557]: [2022/12/07
> > 16:41:30.246099,  1]
> > ../../source3/rpc_client/cli_pipe.c:550(cli_pipe_validate_current_pdu)
> > Dec 07 16:41:30 fs01.ams.optiva.com winbindd[82557]:
> > ../../source3/rpc_client/cli_pipe.c:550: RPC fault code
> > DCERPC_NCA_S_OP_RNG_ERROR received from host fs01!
> > Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]: [2022/12/07
> > 16:41:33.313098,  1]
> > ../../source3/winbindd/wb_queryuser.c:402(wb_queryuser_got_gid)
> > Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   Returning
> > NT_STATUS_NO_SUCH_USER
> > Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   xid.type must be
> > ID_TYPE_UID or ID_TYPE_BOTH.
> > Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]: [2022/12/07
> > 16:41:33.313194,  1]
> > ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
> > Dec 07 16:41:33 fs01.ams.optiva.com winbindd[82555]:   Could not convert
> > sid S-1-5-21-76667877-53546716-1882380502-1000: NT_STATUS_NO_SUCH_USER
> >
> > In general wbinfo -u and -g working.
> > id too:
> > [root at fs01 samba]# id "XXX\lszczepa"
> > uid=25360(XXX\lszczepa) gid=1315200513(XXX\domain users)
> > groups=1315200513(XXX\domain users),25360(XXX\lszczepa)
> >
> > [root at fs01 samba]# net conf list
> > [global]
> >          logging = syslog
> >          log level = 1
> >          clustering = yes
> >          security = ads
> >          realm = XXX.YYY.ZZZ
> >          map acl inherit = yes
> >          workgroup = XXX
> >          kerberos method = secrets and keytab
> >          idmap config * : range = 1000-7999
> >          idmap config * : backend = tdb
> >          ctdb:registry.tdb = yes
> >          netbios name = FS
> >          idmap config XXX: range = 100000-1999999999
> >          idmap config XXX: backend = rid
> >
> >
> > [symptoms]
> >          read only = no
> >          inherit acls = yes
> >          guest ok = no
> >          browseable = yes
> >          path = /mnt/glusterfs/symptoms/
> >
> > [root at fs01 samba]# smbclient ////localhost//symptoms -U lszczepa
> > Password for [XXX\lszczepa]:
> > do_connect: Connection to  failed (Error NT_STATUS_NOT_FOUND)
> >
> > Because of this, I cannot login to the samba share using AD credentials
> :(
> >
> > What is this S-1-5-21-76667877-53546716-1882380502-1000 ??
> > Actually, my user on this machine has uid=1000 and gid=1000
> > But I think it has nothing to do with that.
>
> It could have a lot to do with that.
>
> S-1-5-21-76667877-53546716-1882380502-1000 is the users SID, which is
> composed of the domain SID: S-1-5-21-76667877-53546716-1882380502
> And the users RID: 1000 (provided this is your users SID).
>
> Why have you started the default range '*' at '1000' in your smb.conf ?
>
> How, if the 'XXX' range starts at '100000' and you are using the 'rid'
> idmap backend, does your user get the ID '1000' ?
>
> I would have expected (provided that your user has the RID '1000') it to
> be '101000'.
>
> Or do you have a local Unix user with the ID '1000' ?
>
> Another option is that 'XXX' isn't your NetBIOS domain name (aka workgroup)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
-- 
Leszek A. Szczepanowski
twinsen at mspanc.net

More information about the samba mailing list