[Samba] Fwd: Domain member fails to map SID>*ID after DC migrated from Server 2022 to 2025
Dustin L. Howett
dustin at howett.net
Wed Apr 23 18:00:46 UTC 2025
On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba wrote:
> On Tue, 22 Apr 2025 21:09:26 -0500
> Dustin Howett via samba <samba at lists.samba.org> wrote:
>
> > - On Server 2025, it returns a failure instead:
> > NT_STATUS_NO_SUCH_DOMAIN
> >
>
> It seems that your DC cannot be found, so for a start, can you post the
> /etc/resolv.conf, /etc/krb5.conf and smb.conf from the client.
>
Thanks Rowland (and sorry for the stray Fwd in the subject.)
Just to note before I get into my config files: wbinfo (et al) report
that the DC is reachable in both cases. Other domain operations such as
user enumeration also work.
On both members (2022 lab and 2025 lab):
(Note that due to the identical lab setup, the DC hostname is the same.
**These machines are in isolated networks and cannot see eachother**.)
-- 8< snip --
root at dom-test-member:~# wbinfo --ping-dc
checking the NETLOGON for domain[DOMTEST] dc connection to "WIN-NAFS39H19IE.domtest.howett.net" succeeded
root at dom-test-member:~# wbinfo -u
DOMTEST\administrator
DOMTEST\guest
DOMTEST\krbtgt
DOMTEST\dustin
root at dom-test-member:~#
---
root at dom2-test-member:~# wbinfo --ping-dc
checking the NETLOGON for domain[DOMTEST] dc connection to "WIN-NAFS39H19IE.domtest.howett.net" succeeded
root at dom2-test-member:~# wbinfo -u
DOMTEST\administrator
DOMTEST\guest
DOMTEST\krbtgt
DOMTEST\dustin
root at dom2-test-member:~#
-- 8< snip --
Here are the config files you've asked for.
krb5.conf and smb.conf are almost identical (I will call out the change
between the two with a diff below.). resolv.conf only differs because of
the lab subnet.
--- resolv.conf (member of working 2022 domain) ---
domain domtest.howett.net.
nameserver 192.168.1.2
--- resolv.conf (member of failing 2025 domain) ---
domain domtest.howett.net.
nameserver 192.168.2.2
--- krb5.conf (both, identical) ---
[libdefaults]
default_realm = DOMTEST.HOWETT.NET
dns_lookup_realm = false
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
fcc-mit-ticketflags = true
--- smb.conf ---
[global]
log file = /var/log/samba/log.%m
logging = file
log level = 10
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
realm = DOMTEST.HOWETT.NET
server role = member server
unix password sync = Yes
usershare allow guests = Yes
workgroup = DOMTEST
idmap config * : backend = tdb
idmap config * : range = 1000-9999
idmap config domtest:backend = ad
idmap config domtest:schema_mode = rfc2307
idmap config domtest:range = 500-599
idmap config domtest:unix_nss_info = yes
[homes]
browseable = No
comment = Home Directories
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/tmp
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
--- smb.conf diff from 2022 member to 2025 member ---
--- smb.conf.2022 2025-04-23 12:53:13.842606909 -0500
+++ smb.conf.2025 2025-04-23 12:53:32.766556304 -0500
@@ -5,6 +5,7 @@
log level = 10
map to guest = Bad User
max log size = 1000
+ netbios name = DOM2MEM
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
Thanks,
d
More information about the samba
mailing list