[Samba] More Active Directory Domain Corruption.

Zombie Ryushu zombie_ryushu at yahoo.com
Wed Jun 1 23:11:43 UTC 2022


On 6/1/22 18:33, Andrew Bartlett via samba wrote:
> Jumping back to the top of this chain again, as it has gone down
> various ratholes.
>
> On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
>> I have unable to process any Domain Logins of any type on OpenSuse
>> Leap
>> 15.3. I get an invalid SID error.
>> This has been isolated to just one of my Domain Controllers.
>> Unfortunately, its my Primary Domain Controller.
>>
>> Basically normal Samba and Domain AD Logins fail with
>>
>> NT_STATUS_INVALID_SID
> So, what I would say is that idmap.ldb is not syncronised so this might
> explain that being on just one DC.  Digging into this may show what the
> issue is there, otherwise just build a new DC.  (these can/should be
> VMs).
>
> As you have been using Samba as a fileserver also, you will need to
> take care that any new DC or if you removed idmap.ldb to have it
> rebuilt will change the IDMAP, eg the effective owner of files.
>
> Personally I suspect that file may have been edited or damaged.
>
> This is why we suggest separation, so traditional Samba fileserver
> rules can be used to manage idmap, as that is more suitable (IDMAP
> management in the AD DC is poor).
>
> We have already determined that while there is an odd DN in the DB, it
> isn't fatal, just exposes a less-than-ideal behaviour in dbcheck.
>
> Within your physical constraints, do please try to follow our
> deployment recommendations, it will help us help you.
>
> Andrew Bartlett
>
So I didn't fix it. I followed your advice an instructions, but it still 
didn't give me the desired results.

Here is what I did:

I backed up the data using the samba-tool domain backup offline command. 
(the online version failed due to the SID error)

WARNING 2022-06-01 18:38:25,505 pid:19047 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2114: 
More than one IPv4 address found. Using 172.17.0.1

This IP address is an interface for a Docker image. I probably should 
restrict that to the actual of the ethernet adapter.

so I added interfaces = eth1 lo

bind interfaces only = yes

to smb.conf.

I then methodically went through and purged all tdb and ldb files. Then 
I re-joined the DC to the Domain. During Provision, this error appeared.

INFO 2022-06-01 19:01:33,933 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2108: 
Looking up IPv4 addresses
INFO 2022-06-01 19:01:33,933 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2125: 
Looking up IPv6 addresses
WARNING 2022-06-01 19:01:33,934 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2132: No 
IPv6 address will be assigned
INFO 2022-06-01 19:01:34,415 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2278: 
Setting up secrets.ldb
INFO 2022-06-01 19:01:34,653 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2283: 
Setting up the registry
INFO 2022-06-01 19:01:34,755 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2286: 
Setting up the privileges database
INFO 2022-06-01 19:01:35,354 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2289: 
Setting up idmap db
INFO 2022-06-01 19:01:35,739 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2296: 
Setting up SAM db
INFO 2022-06-01 19:01:35,840 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #880: 
Setting up sam.ldb partitions and settings
INFO 2022-06-01 19:01:35,842 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #892: 
Setting up sam.ldb rootDSE
INFO 2022-06-01 19:01:35,916 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #1305: 
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint 
on local domainSIDs

INFO 2022-06-01 19:01:36,116 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2343: 
The Kerberos KDC configuration for Samba AD is located at 
/var/lib/samba/private/kdc.conf
INFO 2022-06-01 19:01:36,117 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2349: A 
Kerberos configuration suitable for Samba AD has been generated at 
/var/lib/samba/private/krb5.conf
INFO 2022-06-01 19:01:36,117 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2350: 
Merge the contents of this file with your system krb5.conf or replace it 
with this one. Do not create a symlink!
Provision OK for domain DN DC=pukey
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[402/1550] 
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[804/1550] 
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[1206/1550] 
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[1550/1550] 
linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=pukey] objects[402/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[804/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1206/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1608/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1653/1653] 
linked_values[49/49]
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=pukey] objects[2055/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[2457/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[2859/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[3261/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[3306/1653] 
linked_values[98/49]
Replicating critical objects from the base DN of the domain
Partition[DC=pukey] objects[98/98] linked_values[38/38]
Partition[DC=pukey] objects[324/324] linked_values[46/46]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=pukey
Partition[DC=DomainDnsZones,DC=pukey] objects[45/45] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=pukey
Partition[DC=ForestDnsZones,DC=pukey] objects[26/26] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=pukey] objects[3] linked_values[0]
Committing SAM database
Repacking database from v1 to v2 format (first record 
CN=ms-Exch-Configuration-Container,CN=Schema,CN=Configuration,DC=pukey)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record 
CN=IntellimirrorGroup-Display,CN=419,CN=DisplaySpecifiers,CN=Configuration,DC=pukey)
Repacking database from v1 to v2 format (first record 
DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=pukey)
Repacking database from v1 to v2 format (first record 
DC=f1089f36-ffbd-4d60-932c-3f71addac95a,DC=_msdcs.pukey,CN=MicrosoftDNS,DC=ForestDnsZones,DC=pukey)
Repacking database from v1 to v2 format (first record 
CN=6bcd5684-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=pukey)
INFO 2022-06-01 19:01:48,444 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1101: Adding 1 remote 
DNS records for OLYMPIA.pukey
INFO 2022-06-01 19:01:48,579 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1164: Adding DNS A 
record OLYMPIA.pukey for IPv4 IP: 192.168.0.4
INFO 2022-06-01 19:01:48,771 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1192: Adding DNS CNAME 
record d02fb6d3-feec-46ec-bcb1-dad7bdd64e27._msdcs.pukey for OLYMPIA.pukey
INFO 2022-06-01 19:01:48,975 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1217: All other DNS 
records (like _ldap SRV records) will be created samba_dnsupdate on 
first startup
INFO 2022-06-01 19:01:48,975 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1222: Replicating new 
DNS records in DC=DomainDnsZones,DC=pukey
Partition[DC=DomainDnsZones,DC=pukey] objects[2/2] linked_values[0/0]
INFO 2022-06-01 19:01:49,198 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1222: Replicating new 
DNS records in DC=ForestDnsZones,DC=pukey
Partition[DC=ForestDnsZones,DC=pukey] objects[2/2] linked_values[0/0]
INFO 2022-06-01 19:01:49,357 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1237: Sending 
DsReplicaUpdateRefs for all the replicated partitions
INFO 2022-06-01 19:01:49,561 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1267: Setting 
isSynchronized and dsServiceName
INFO 2022-06-01 19:01:49,625 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1282: Setting up 
secrets database
INFO 2022-06-01 19:01:50,324 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1544: Joined domain 
PUKEY-NT as a DC

After Provision:wbinfo -S S-1-5-21-2139989288-483860436-2398042574-2000
failed to call wbcSidToUid: WBC_ERR_UNKNOWN_FAILURE
Could not convert sid S-1-5-21-2139989288-483860436-2398042574-2000 to uid

So this appears to have had no effect. Even after I purged 
/var/lib/samba/private


More information about the samba mailing list