[Samba] Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server
Rowland Penny
rpenny at samba.org
Thu Oct 27 11:14:47 UTC 2022
Moved from samba-technical:
On 27/10/2022 11:44, Harald Hannelius wrote:
>
> On Thu, 27 Oct 2022, Rowland Penny via samba-technical wrote:
>> On 27/10/2022 10:57, Harald Hannelius via samba-technical wrote:
>>>
>>> I upgraded my AD DS servers from Debian 10 to Debian 11 bullseye
>>> which also upgraded Samba from 4.9.5 to 4.13.13.
>>>
>>> Now I notice that I am unable to resolve usernames on the member
>>> servers. I have only numbers in the processlist for example. 'getent
>>> passwd "DOMAIN\harald"' doesn't return anything.
>>>
>>> Did I miss something in the upgrade process?
>>
>> No idea, you haven't given us enough to work with.
>>
>> How did you upgrade your DC's ?
>
> apt-get upgrade && apt-get dist-upgrade
Now that is generally okay for the base OS, but I wouldn't have done
that. I would have created a new computer (in a VM or on bare metal)
using Bullseye and the installed Samba from backports, joined this as a
new DC, then once I was sure everything was okay, I would demote the old
DC. There is just too big a jump between 4.9.5 and 4.13.x
>
>> Did you upgrade them in place or did you create new DC's and demote
>> the old ones ?
>
> In place.
See above.
>
>> What idmap backend are you using on the Unis domain members ?
>
> idmap config domain:unix_primary_group = yes
> idmap config domain:unix_nss_info = yes
> idmap config domain:range = 500-4000000
Was this domain upgraded from an old NT4-style domain ?
> idmap config domain:schema_mode = rfc2307
> idmap config domain:backend = ad
> idmap config * : range = 5000000-9000000
The default '*' domain is meant for the well known SIDS (of which there
are less than 200) and anything outside the 'DOMAIN' domain, do you
really expect nearly 4 million connections from outside the domain ?
> idmap config * : backend = tdb
>
>>> Now when I restarted the smbd, winbind and nmbd I am unable to
>>> connect to the member server.
>>
>> Sounds like a possible dns issue.
>
> I have to check that next time I try doing this upgrade. Thanks.
>
>> This isn't really the place to be discussing this, you should have
>> posted to the samba mailing list.
>
> Oh, sorry. I'll repost there.
>
> Thank You for Your time, appreciated.
Please post the contents of these files:
/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
/etc/samba/samba.conf
from a DC and a Unix domain member
Rowland
More information about the samba
mailing list