[Samba] Problem on Windows AD Member based on Ubuntu with Samba 4.13.14

Viktor Trojanovic viktor at troja.ch
Tue Jan 11 14:17:11 UTC 2022 

Hi,

A recent security update to 4.13.14 seems to have broken our Windows AD
member server in some way.

We're experiencing some weird behaviour on the Samba network shares (files
that are deleted reappear again after a refresh), the logs are full of
errors of the following kind:

log.smbd
------------

[2022/01/11 14:42:56.187773,  0]
../../source3/auth/auth_util.c:1913(check_account)
  check_account: Failed to convert SID
S-1-5-21-914846004-123456789-3175952047-1112 to a UID
(dom_user[HQ\computer1$])

log.wb-FS1 (FS1 = the member server)
-----------------------------

[2021/11/30 00:46:03.474847,  0]
../../source3/winbindd/winbindd.c:247(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)
[2021/11/30 00:50:18.821399,  0]
../../source3/winbindd/winbindd_cm.c:1873(wb_open_internal_pipe)
  open_internal_pipe: Could not connect to dssetup pipe:
NT_STATUS_RPC_INTERFACE_NOT_FOUND
[2021/11/30 00:50:18.878596,  0]
../../source3/rpc_server/rpc_ncacn_np.c:454(rpcint_dispatch)
  rpcint_dispatch: DCE/RPC fault in call lsarpc:2E -
DCERPC_NCA_S_OP_RNG_ERROR

I read through some of the threads in the list of the last couple months
and saw that it seems necessary to have the instruction "min domain uid =
0" in the global section of smb.conf. We're still experiencing errors in
the logs after this change.

Further, in the bug https://bugzilla.samba.org/show_bug.cgi?id=14901, it
states that a username mapping script should be created. I created the file
username_map_script.sh in /etc/samba but in log.smbd it is stated that the
file cannot be accessed (permission denied). Before, I used to work with a
username mapping file which is also readable only by root which wasn't a
problem so I'm not sure why samba cannot access or run this script.

Grateful for any advice on how to solve this.

Viktor

smb.conf
-------------

[global]
   workgroup = HQ
   security = ADS
   realm = HQ.EXAMPLE.COM

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config HQ:backend = ad
   idmap config HQ:schema_mode = rfc2307
   idmap config HQ:range = 10000-999999
   idmap config HQ:unix_nss_info = yes

   username map = /etc/samba/user.map
   username map script = /etc/samba/username_map_script.sh

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   winbind refresh tickets = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   min domain uid = 0

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   # Template settings for login shell and home directory
   template shell = /bin/bash
   template homedir = /home/%U


[Share1]
        path = /srv/samba/HQ/software
        read only = no

More information about the samba mailing list