[Samba] More Active Directory Domain Corruption.
Andrew Bartlett
abartlet at samba.org
Wed Jun 1 23:21:49 UTC 2022
On Wed, 2022-06-01 at 19:11 -0400, Zombie Ryushu wrote:
> On 6/1/22 18:33, Andrew Bartlett via
> samba wrote:
>
>
>
> > Jumping back to the top of this chain again, as it has gone
> > downvarious ratholes.
> > On Tue, 2022-05-31 at 08:39 -0400, Zombie Ryushu via samba wrote:
> >
> > > I have unable to process any Domain Logins of any type on
> > > OpenSuseLeap 15.3. I get an invalid SID error.This has been
> > > isolated to just one of my Domain Controllers. Unfortunately, its
> > > my Primary Domain Controller.
> > > Basically normal Samba and Domain AD Logins fail with
> > > NT_STATUS_INVALID_SID
> > >
> >
> > So, what I would say is that idmap.ldb is not syncronised so
> > this mightexplain that being on just one DC. Digging into this may
> > show what theissue is there, otherwise just build a new DC. (these
> > can/should beVMs).
> > As you have been using Samba as a fileserver also, you will need
> > totake care that any new DC or if you removed idmap.ldb to have
> > itrebuilt will change the IDMAP, eg the effective owner of files.
> > Personally I suspect that file may have been edited or damaged.
> > This is why we suggest separation, so traditional Samba
> > fileserverrules can be used to manage idmap, as that is more
> > suitable (IDMAPmanagement in the AD DC is poor).
> > We have already determined that while there is an odd DN in the DB,
> > itisn't fatal, just exposes a less-than-ideal behaviour in
> > dbcheck.
> > Within your physical constraints, do please try to follow
> > ourdeployment recommendations, it will help us help you.
> > Andrew Bartlett
> >
> >
>
> So I didn't fix it. I followed your advice an instructions, but
> it still didn't give me the desired results.
> Here is what I did:
> I backed up the data using the samba-tool domain backup offline
> command. (the online version failed due to the SID error)
> WARNING
> 2022-06-01 18:38:25,505 pid:19047
> /usr/lib64/python3.6/site-
> packages/samba/provision/__init__.py
> #2114: More than one IPv4 address found. Using 172.17.0.1
> This IP address
> is an interface for a Docker image. I probably should
> restrict that to the actual of the ethernet adapter.
>
> so I added interfaces = eth1 lo
> bind interfaces only = yes
>
>
> to smb.conf.
> I then methodically went through and purged all tdb and ldb
> files. Then I re-joined the DC to the Domain. During Provision,
> this error appeared.
>
INFO
2022-06-01 19:01:50,324 pid:23908
/usr/lib64/python3.6/site-packages/samba/join.py #1544:
Joined
domain PUKEY-NT as a DC
To be clear, this is success. I don't know why you get idmap errors
but I suggest you look into the winbindd logs for further clues.
I would again suggest to make your install as boring as possible, but
if that still doesn't help you may need to seek professional advise
from a commercial support provider who can spend some time to really
dig into this, or just rebuild the domain in as boring a manner
possible. I don't say so lightly but this thread isn't really getting
anywhere fast and is getting distracted by the various differences.
You are not the only one, but there is a lot of jumping to conclusions
here and that isn't helping. Turn up the log level and spend a lot of
time reading that output around the time when specific failures are
seen is all I can suggest.
Sorry,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions
More information about the samba
mailing list