[Samba] More Active Directory Domain Corruption.

Zombie Ryushu zombie_ryushu at yahoo.com
Wed Jun 1 23:11:43 UTC 2022

On 6/1/22 18:33, Andrew Bartlett via samba wrote:
> Jumping back to the top of this chain again, as it has gone down
> various ratholes.
> On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
>> I have unable to process any Domain Logins of any type on OpenSuse
>> Leap
>> 15.3. I get an invalid SID error.
>> This has been isolated to just one of my Domain Controllers.
>> Unfortunately, its my Primary Domain Controller.
>> Basically normal Samba and Domain AD Logins fail with
> So, what I would say is that idmap.ldb is not syncronised so this might
> explain that being on just one DC.  Digging into this may show what the
> issue is there, otherwise just build a new DC.  (these can/should be
> VMs).
> As you have been using Samba as a fileserver also, you will need to
> take care that any new DC or if you removed idmap.ldb to have it
> rebuilt will change the IDMAP, eg the effective owner of files.
> Personally I suspect that file may have been edited or damaged.
> This is why we suggest separation, so traditional Samba fileserver
> rules can be used to manage idmap, as that is more suitable (IDMAP
> management in the AD DC is poor).
> We have already determined that while there is an odd DN in the DB, it
> isn't fatal, just exposes a less-than-ideal behaviour in dbcheck.
> Within your physical constraints, do please try to follow our
> deployment recommendations, it will help us help you.
> Andrew Bartlett
So I didn't fix it. I followed your advice an instructions, but it still 
didn't give me the desired results.

Here is what I did:

I backed up the data using the samba-tool domain backup offline command. 
(the online version failed due to the SID error)

WARNING 2022-06-01 18:38:25,505 pid:19047 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2114: 
More than one IPv4 address found. Using

This IP address is an interface for a Docker image. I probably should 
restrict that to the actual of the ethernet adapter.

so I added interfaces = eth1 lo

bind interfaces only = yes

to smb.conf.

I then methodically went through and purged all tdb and ldb files. Then 
I re-joined the DC to the Domain. During Provision, this error appeared.

INFO 2022-06-01 19:01:33,933 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2108: 
Looking up IPv4 addresses
INFO 2022-06-01 19:01:33,933 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2125: 
Looking up IPv6 addresses
WARNING 2022-06-01 19:01:33,934 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2132: No 
IPv6 address will be assigned
INFO 2022-06-01 19:01:34,415 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2278: 
Setting up secrets.ldb
INFO 2022-06-01 19:01:34,653 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2283: 
Setting up the registry
INFO 2022-06-01 19:01:34,755 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2286: 
Setting up the privileges database
INFO 2022-06-01 19:01:35,354 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2289: 
Setting up idmap db
INFO 2022-06-01 19:01:35,739 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2296: 
Setting up SAM db
INFO 2022-06-01 19:01:35,840 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #880: 
Setting up sam.ldb partitions and settings
INFO 2022-06-01 19:01:35,842 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #892: 
Setting up sam.ldb rootDSE
INFO 2022-06-01 19:01:35,916 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #1305: 
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint 
on local domainSIDs

INFO 2022-06-01 19:01:36,116 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2343: 
The Kerberos KDC configuration for Samba AD is located at 
INFO 2022-06-01 19:01:36,117 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2349: A 
Kerberos configuration suitable for Samba AD has been generated at 
INFO 2022-06-01 19:01:36,117 pid:23908 
/usr/lib64/python3.6/site-packages/samba/provision/__init__.py #2350: 
Merge the contents of this file with your system krb5.conf or replace it 
with this one. Do not create a symlink!
Provision OK for domain DN DC=pukey
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[402/1550] 
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[804/1550] 
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[1206/1550] 
Schema-DN[CN=Schema,CN=Configuration,DC=pukey] objects[1550/1550] 
Analyze and apply schema objects
Partition[CN=Configuration,DC=pukey] objects[402/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[804/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1206/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1608/1653] linked_values[0/0]
Partition[CN=Configuration,DC=pukey] objects[1653/1653] 
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=pukey] objects[2055/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[2457/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[2859/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[3261/1653] linked_values[49/0]
Partition[CN=Configuration,DC=pukey] objects[3306/1653] 
Replicating critical objects from the base DN of the domain
Partition[DC=pukey] objects[98/98] linked_values[38/38]
Partition[DC=pukey] objects[324/324] linked_values[46/46]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=pukey
Partition[DC=DomainDnsZones,DC=pukey] objects[45/45] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=pukey
Partition[DC=ForestDnsZones,DC=pukey] objects[26/26] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=pukey] objects[3] linked_values[0]
Committing SAM database
Repacking database from v1 to v2 format (first record 
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record 
Repacking database from v1 to v2 format (first record 
Repacking database from v1 to v2 format (first record 
Repacking database from v1 to v2 format (first record 
INFO 2022-06-01 19:01:48,444 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1101: Adding 1 remote 
DNS records for OLYMPIA.pukey
INFO 2022-06-01 19:01:48,579 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1164: Adding DNS A 
record OLYMPIA.pukey for IPv4 IP:
INFO 2022-06-01 19:01:48,771 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1192: Adding DNS CNAME 
record d02fb6d3-feec-46ec-bcb1-dad7bdd64e27._msdcs.pukey for OLYMPIA.pukey
INFO 2022-06-01 19:01:48,975 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1217: All other DNS 
records (like _ldap SRV records) will be created samba_dnsupdate on 
first startup
INFO 2022-06-01 19:01:48,975 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1222: Replicating new 
DNS records in DC=DomainDnsZones,DC=pukey
Partition[DC=DomainDnsZones,DC=pukey] objects[2/2] linked_values[0/0]
INFO 2022-06-01 19:01:49,198 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1222: Replicating new 
DNS records in DC=ForestDnsZones,DC=pukey
Partition[DC=ForestDnsZones,DC=pukey] objects[2/2] linked_values[0/0]
INFO 2022-06-01 19:01:49,357 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1237: Sending 
DsReplicaUpdateRefs for all the replicated partitions
INFO 2022-06-01 19:01:49,561 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1267: Setting 
isSynchronized and dsServiceName
INFO 2022-06-01 19:01:49,625 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1282: Setting up 
secrets database
INFO 2022-06-01 19:01:50,324 pid:23908 
/usr/lib64/python3.6/site-packages/samba/join.py #1544: Joined domain 

After Provision:wbinfo -S S-1-5-21-2139989288-483860436-2398042574-2000
failed to call wbcSidToUid: WBC_ERR_UNKNOWN_FAILURE
Could not convert sid S-1-5-21-2139989288-483860436-2398042574-2000 to uid

So this appears to have had no effect. Even after I purged 

More information about the samba mailing list