[Samba] Problem on Windows AD Member based on Ubuntu with Samba 4.13.14

Viktor Trojanovic viktor at troja.ch
Sun Jan 16 10:17:36 UTC 2022 

Not sure why I'm getting no replies on this. Did I miss something obvious?

On Tue, 11 Jan 2022 at 15:17, Viktor Trojanovic <viktor at troja.ch> wrote:

> Hi,
>
> A recent security update to 4.13.14 seems to have broken our Windows AD
> member server in some way.
>
> We're experiencing some weird behaviour on the Samba network shares (files
> that are deleted reappear again after a refresh), the logs are full of
> errors of the following kind:
>
> log.smbd
> ------------
>
> [2022/01/11 14:42:56.187773,  0]
> ../../source3/auth/auth_util.c:1913(check_account)
>   check_account: Failed to convert SID
> S-1-5-21-914846004-123456789-3175952047-1112 to a UID
> (dom_user[HQ\computer1$])
>
> log.wb-FS1 (FS1 = the member server)
> -----------------------------
>
> [2021/11/30 00:46:03.474847,  0]
> ../../source3/winbindd/winbindd.c:247(winbindd_sig_term_handler)
>   Got sig[15] terminate (is_parent=0)
> [2021/11/30 00:50:18.821399,  0]
> ../../source3/winbindd/winbindd_cm.c:1873(wb_open_internal_pipe)
>   open_internal_pipe: Could not connect to dssetup pipe:
> NT_STATUS_RPC_INTERFACE_NOT_FOUND
> [2021/11/30 00:50:18.878596,  0]
> ../../source3/rpc_server/rpc_ncacn_np.c:454(rpcint_dispatch)
>   rpcint_dispatch: DCE/RPC fault in call lsarpc:2E -
> DCERPC_NCA_S_OP_RNG_ERROR
>
> I read through some of the threads in the list of the last couple months
> and saw that it seems necessary to have the instruction "min domain uid =
> 0" in the global section of smb.conf. We're still experiencing errors in
> the logs after this change.
>
> Further, in the bug https://bugzilla.samba.org/show_bug.cgi?id=14901, it
> states that a username mapping script should be created. I created the file
> username_map_script.sh in /etc/samba but in log.smbd it is stated that the
> file cannot be accessed (permission denied). Before, I used to work with a
> username mapping file which is also readable only by root which wasn't a
> problem so I'm not sure why samba cannot access or run this script.
>
> Grateful for any advice on how to solve this.
>
> Viktor
>
> smb.conf
> -------------
>
> [global]
>    workgroup = HQ
>    security = ADS
>    realm = HQ.EXAMPLE.COM
>
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
>
>    idmap config HQ:backend = ad
>    idmap config HQ:schema_mode = rfc2307
>    idmap config HQ:range = 10000-999999
>    idmap config HQ:unix_nss_info = yes
>
>    username map = /etc/samba/user.map
>    username map script = /etc/samba/username_map_script.sh
>
>    vfs objects = acl_xattr
>    map acl inherit = yes
>    store dos attributes = yes
>    winbind refresh tickets = Yes
>
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    min domain uid = 0
>
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>
>    # Template settings for login shell and home directory
>    template shell = /bin/bash
>    template homedir = /home/%U
>
>
> [Share1]
>         path = /srv/samba/HQ/software
>         read only = no
>
>

More information about the samba mailing list