[Samba] More Active Directory Domain Corruption.

Andrew Bartlett abartlet at samba.org
Wed Jun 1 23:21:49 UTC 2022

On Wed, 2022-06-01 at 19:11 -0400, Zombie Ryushu wrote:
>     On 6/1/22 18:33, Andrew Bartlett via
>       samba wrote:
> >       Jumping back to the top of this chain again, as it has gone
> > downvarious ratholes. 
> > On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
> >       
> > >         I have unable to process any Domain Logins of any type on
> > > OpenSuseLeap 15.3. I get an invalid SID error.This has been
> > > isolated to just one of my Domain Controllers. Unfortunately, its
> > > my Primary Domain Controller.
> > > Basically normal Samba and Domain AD Logins fail with
> > >       
> > 
> >       So, what I would say is that idmap.ldb is not syncronised so
> > this mightexplain that being on just one DC.  Digging into this may
> > show what theissue is there, otherwise just build a new DC.  (these
> > can/should beVMs). 
> > As you have been using Samba as a fileserver also, you will need
> > totake care that any new DC or if you removed idmap.ldb to have
> > itrebuilt will change the IDMAP, eg the effective owner of files. 
> > Personally I suspect that file may have been edited or damaged.
> > This is why we suggest separation, so traditional Samba
> > fileserverrules can be used to manage idmap, as that is more
> > suitable (IDMAPmanagement in the AD DC is poor).
> > We have already determined that while there is an odd DN in the DB,
> > itisn't fatal, just exposes a less-than-ideal behaviour in
> > dbcheck.  
> > Within your physical constraints, do please try to follow
> > ourdeployment recommendations, it will help us help you.
> > Andrew Bartlett
> > 
> >     
>     So I didn't fix it. I followed your advice an instructions, but
>       it still didn't give me the desired results.
>     Here is what I did:
>     I backed up the data using the samba-tool domain backup offline
>       command. (the online version failed due to the SID error)
>           2022-06-01 18:38:25,505 pid:19047
>           /usr/lib64/python3.6/site-
> packages/samba/provision/__init__.py
>           #2114: More than one IPv4 address found. Using
>     This IP address
>           is an interface for a Docker image. I probably should
>         restrict that to the actual of the ethernet adapter.
>         so I added interfaces = eth1 lo
>     bind interfaces only = yes 
>     to smb.conf.
>     I then methodically went through and purged all tdb and ldb
>       files. Then I re-joined the DC to the Domain. During Provision,
>       this error appeared.

          2022-06-01 19:01:50,324 pid:23908
          /usr/lib64/python3.6/site-packages/samba/join.py #1544:
          domain PUKEY-NT as a DC


To be clear, this is success.   I don't know why you get idmap errors
but I suggest you look into the winbindd logs for further clues. 

I would again suggest to make your install as boring as possible, but
if that still doesn't help you may need to seek professional advise
from a commercial support provider who can spend some time to really
dig into this, or just rebuild the domain in as boring a manner
possible.  I don't say so lightly but this thread isn't really getting
anywhere fast and is getting distracted by the various differences.

You are not the only one, but there is a lot of jumping to conclusions
here and that isn't helping.  Turn up the log level and spend a lot of
time reading that output around the time when specific failures are
seen is all I can suggest. 


Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions

More information about the samba mailing list