[Samba] Problem on Windows AD Member based on Ubuntu with Samba 4.13.14
Viktor Trojanovic
viktor at troja.ch
Tue Jan 11 14:17:11 UTC 2022
Hi,
A recent security update to 4.13.14 seems to have broken our Windows AD
member server in some way.
We're experiencing some weird behaviour on the Samba network shares (files
that are deleted reappear again after a refresh), the logs are full of
errors of the following kind:
log.smbd
------------
[2022/01/11 14:42:56.187773, 0]
../../source3/auth/auth_util.c:1913(check_account)
check_account: Failed to convert SID
S-1-5-21-914846004-123456789-3175952047-1112 to a UID
(dom_user[HQ\computer1$])
log.wb-FS1 (FS1 = the member server)
-----------------------------
[2021/11/30 00:46:03.474847, 0]
../../source3/winbindd/winbindd.c:247(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=0)
[2021/11/30 00:50:18.821399, 0]
../../source3/winbindd/winbindd_cm.c:1873(wb_open_internal_pipe)
open_internal_pipe: Could not connect to dssetup pipe:
NT_STATUS_RPC_INTERFACE_NOT_FOUND
[2021/11/30 00:50:18.878596, 0]
../../source3/rpc_server/rpc_ncacn_np.c:454(rpcint_dispatch)
rpcint_dispatch: DCE/RPC fault in call lsarpc:2E -
DCERPC_NCA_S_OP_RNG_ERROR
I read through some of the threads in the list of the last couple months
and saw that it seems necessary to have the instruction "min domain uid =
0" in the global section of smb.conf. We're still experiencing errors in
the logs after this change.
Further, in the bug https://bugzilla.samba.org/show_bug.cgi?id=14901, it
states that a username mapping script should be created. I created the file
username_map_script.sh in /etc/samba but in log.smbd it is stated that the
file cannot be accessed (permission denied). Before, I used to work with a
username mapping file which is also readable only by root which wasn't a
problem so I'm not sure why samba cannot access or run this script.
Grateful for any advice on how to solve this.
Viktor
smb.conf
-------------
[global]
workgroup = HQ
security = ADS
realm = HQ.EXAMPLE.COM
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config HQ:backend = ad
idmap config HQ:schema_mode = rfc2307
idmap config HQ:range = 10000-999999
idmap config HQ:unix_nss_info = yes
username map = /etc/samba/user.map
username map script = /etc/samba/username_map_script.sh
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
min domain uid = 0
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
[Share1]
path = /srv/samba/HQ/software
read only = no
More information about the samba
mailing list