[Samba] Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server

Rowland Penny rpenny at samba.org
Thu Oct 27 11:14:47 UTC 2022

Moved from samba-technical:

On 27/10/2022 11:44, Harald Hannelius wrote:
> On Thu, 27 Oct 2022, Rowland Penny via samba-technical wrote:
>> On 27/10/2022 10:57, Harald Hannelius via samba-technical wrote:
>>> I upgraded my AD DS servers from Debian 10 to Debian 11 bullseye 
>>> which also upgraded Samba from 4.9.5 to 4.13.13.
>>> Now I notice that I am unable to resolve usernames on the member 
>>> servers. I have only numbers in the processlist for example. 'getent 
>>> passwd "DOMAIN\harald"' doesn't return anything.
>>> Did I miss something in the upgrade process?
>> No idea, you haven't given us enough to work with.
>> How did you upgrade your DC's ?
> apt-get upgrade && apt-get dist-upgrade

Now that is generally okay for the base OS, but I wouldn't have done 
that. I would have created a new computer (in a VM or on bare metal) 
using Bullseye and the installed Samba from backports, joined this as a 
new DC, then once I was sure everything was okay, I would demote the old 
DC. There is just too big a jump between 4.9.5 and 4.13.x

>> Did you upgrade them in place or did you create new DC's and demote 
>> the old ones ?
> In place.

See above.

>> What idmap backend are you using on the Unis domain members ?
>      idmap config domain:unix_primary_group = yes
>      idmap config domain:unix_nss_info = yes
>      idmap config domain:range = 500-4000000

Was this domain upgraded from an old NT4-style domain ?

>      idmap config domain:schema_mode = rfc2307
>      idmap config domain:backend = ad
>      idmap config * : range = 5000000-9000000

The default '*' domain is meant for the well known SIDS (of which there 
are less than 200) and anything outside the 'DOMAIN' domain, do you 
really expect nearly 4 million connections from outside the domain ?

>      idmap config * : backend = tdb
>>> Now when I restarted the smbd, winbind and nmbd I am unable to 
>>> connect to the member server.
>> Sounds like a possible dns issue.
> I have to check that next time I try doing this upgrade. Thanks.
>> This isn't really the place to be discussing this, you should have 
>> posted to the samba mailing list.
> Oh, sorry. I'll repost there.
> Thank You for Your time, appreciated.

Please post the contents of these files:

from a DC and a Unix domain member


More information about the samba mailing list