[Samba] Active Directory Domain Corruption.

Andrew Bartlett abartlet at samba.org
Wed Jun 1 22:33:17 UTC 2022

Jumping back to the top of this chain again, as it has gone down
various ratholes. 

On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
> I have unable to process any Domain Logins of any type on OpenSuse
> Leap 
> 15.3. I get an invalid SID error.
> This has been isolated to just one of my Domain Controllers. 
> Unfortunately, its my Primary Domain Controller.
> Basically normal Samba and Domain AD Logins fail with

So, what I would say is that idmap.ldb is not syncronised so this might
explain that being on just one DC.  Digging into this may show what the
issue is there, otherwise just build a new DC.  (these can/should be

As you have been using Samba as a fileserver also, you will need to
take care that any new DC or if you removed idmap.ldb to have it
rebuilt will change the IDMAP, eg the effective owner of files. 

Personally I suspect that file may have been edited or damaged.

This is why we suggest separation, so traditional Samba fileserver
rules can be used to manage idmap, as that is more suitable (IDMAP
management in the AD DC is poor).

We have already determined that while there is an odd DN in the DB, it
isn't fatal, just exposes a less-than-ideal behaviour in dbcheck.  

Within your physical constraints, do please try to follow our
deployment recommendations, it will help us help you.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list