[Samba] Resuming work on the Samba problem on Olympia.
Zombie Ryushu
zombie_ryushu at yahoo.com
Tue Jun 14 09:43:35 UTC 2022
I have implemented Bind DLZ, and still have the same issues I did before:
> wbinfo -S S-1-5-21-2139989288-483860436-2398042574-2000
failed to call wbcSidToUid: WBC_ERR_UNKNOWN_FAILURE
Could not convert sid S-1-5-21-2139989288-483860436-2398042574-2000 to uid
~> smbclient -k //olympia.pukey/masterz
WARNING: The option -k|--kerberos is deprecated!
session setup failed: NT_STATUS_INVALID_SID
[2022/06/14 05:01:36.667410, 0]
../../source4/auth/unix_token.c:97(security_token_to_unix_token)
Unable to convert first SID
(S-1-5-21-2139989288-483860436-2398042574-2000) in user token to a UID.
Conversion was returned as type 0, full token:
[2022/06/14 05:01:36.674207, 0]
../../libcli/security/security_token.c:52(security_token_debug)
Security token SIDs (13):
SID[ 0]: S-1-5-21-2139989288-483860436-2398042574-2000
SID[ 1]: S-1-5-21-2139989288-483860436-2398042574-513
SID[ 2]: S-1-5-21-2139989288-483860436-2398042574-512
SID[ 3]: S-1-5-21-2139989288-483860436-2398042574-572
SID[ 4]: S-1-5-21-2139989288-483860436-2398042574-41238
SID[ 5]: S-1-5-21-2139989288-483860436-2398042574-41742
SID[ 6]: S-1-5-21-2139989288-483860436-2398042574-41237
SID[ 7]: S-1-1-0
SID[ 8]: S-1-5-2
SID[ 9]: S-1-5-11
SID[ 10]: S-1-5-32-545
SID[ 11]: S-1-5-32-544
SID[ 12]: S-1-5-32-554
Privileges (0x 1FFFFF00):
Privilege[ 0]: SeTakeOwnershipPrivilege
Privilege[ 1]: SeBackupPrivilege
Privilege[ 2]: SeRestorePrivilege
Privilege[ 3]: SeRemoteShutdownPrivilege
Privilege[ 4]: SeSecurityPrivilege
Privilege[ 5]: SeSystemtimePrivilege
Privilege[ 6]: SeShutdownPrivilege
Privilege[ 7]: SeDebugPrivilege
Privilege[ 8]: SeSystemEnvironmentPrivilege
Privilege[ 9]: SeSystemProfilePrivilege
Privilege[ 10]: SeProfileSingleProcessPrivilege
Privilege[ 11]: SeIncreaseBasePriorityPrivilege
Privilege[ 12]: SeLoadDriverPrivilege
Privilege[ 13]: SeCreatePagefilePrivilege
Privilege[ 14]: SeIncreaseQuotaPrivilege
Privilege[ 15]: SeChangeNotifyPrivilege
Privilege[ 16]: SeUndockPrivilege
Privilege[ 17]: SeManageVolumePrivilege
Privilege[ 18]: SeImpersonatePrivilege
Privilege[ 19]: SeCreateGlobalPrivilege
Privilege[ 20]: SeEnableDelegationPrivilege
Rights (0x 403):
Right[ 0]: SeInteractiveLogonRight
Right[ 1]: SeNetworkLogonRight
Right[ 2]: SeRemoteInteractiveLogonRight
I have done many things to try and get this to work right, and it still
doesn't.
[global]
netbios name = OLYMPIA
realm = PUKEY
server role = active directory domain controller
workgroup = PUKEY-NT
idmap_ldb:use rfc2307 = yes
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
min protocol = NT1
tls enabled = yes
tls keyfile = tls/olympia.pukey.key
tls certfile = tls/olympia.pukey.crt
tls cafile = tls/ca.crt
interfaces = eth1 lo
bind interfaces only = yes
# log level = 10
[netlogon]
path = /var/lib/samba/sysvol/pukey/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[homes]
comment = Home Directories
read only = No
create mask = 0700
directory mask = 0700
guest ok = no
I have completely demoted and promoted this DC and it makes no
difference. (Demotion and Promotion now works properly, as does Dynamic
DNS and DHCP.
Everything has been fixed.
but as a DC, this node still:
Cannot join new machines to the Domain.
Cannot map Samba Shares
Cannot translate Winbind to UID.
● samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/usr/lib/systemd/system/samba-ad-dc.service;
enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-06-10 20:53:29 EDT; 3 days ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Main PID: 25065 (samba)
Status: "samba: ready to serve connections..."
Tasks: 49 (limit: 4915)
CGroup: /system.slice/samba-ad-dc.service
├─25065 /usr/sbin/samba --foreground --no-process-group
├─25066 /usr/sbin/samba --foreground --no-process-group
├─25067 /usr/sbin/samba --foreground --no-process-group
├─25068 /usr/sbin/samba --foreground --no-process-group
├─25069 /usr/sbin/samba --foreground --no-process-group
├─25070 /usr/sbin/samba --foreground --no-process-group
├─25071 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
├─25072 /usr/sbin/samba --foreground --no-process-group
├─25073 /usr/sbin/samba --foreground --no-process-group
├─25074 /usr/sbin/samba --foreground --no-process-group
├─25075 /usr/sbin/samba --foreground --no-process-group
├─25076 /usr/sbin/samba --foreground --no-process-group
├─25077 /usr/sbin/samba --foreground --no-process-group
├─25078 /usr/sbin/samba --foreground --no-process-group
├─25079 /usr/sbin/samba --foreground --no-process-group
├─25080 /usr/sbin/samba --foreground --no-process-group
├─25081 /usr/sbin/samba --foreground --no-process-group
├─25082 /usr/sbin/samba --foreground --no-process-group
├─25083 /usr/sbin/samba --foreground --no-process-group
├─25084 /usr/sbin/samba --foreground --no-process-group
├─25085 /usr/sbin/samba --foreground --no-process-group
├─25086 /usr/sbin/samba --foreground --no-process-group
├─25087 /usr/sbin/samba --foreground --no-process-group
├─25088 /usr/sbin/samba --foreground --no-process-group
├─25089 /usr/sbin/samba --foreground --no-process-group
├─25090 /usr/sbin/samba --foreground --no-process-group
├─25091 /usr/lib/mit/sbin/krb5kdc -n
├─25092 /usr/sbin/samba --foreground --no-process-group
├─25093 /usr/sbin/samba --foreground --no-process-group
├─25094 /usr/sbin/samba --foreground --no-process-group
├─25095 /usr/sbin/samba --foreground --no-process-group
├─25096 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
├─25097 /usr/sbin/samba --foreground --no-process-group
├─25099 /usr/sbin/samba --foreground --no-process-group
├─25100 /usr/sbin/samba --foreground --no-process-group
├─25101 /usr/sbin/samba --foreground --no-process-group
As you can see, Winbind is running.
Bind DLZ is working.
More information about the samba
mailing list