[Samba] Fwd: Domain member fails to map SID>*ID after DC migrated from Server 2022 to 2025
Rowland Penny
rpenny at samba.org
Thu Apr 24 07:25:04 UTC 2025
On Wed, 23 Apr 2025 13:00:46 -0500
"Dustin L. Howett via samba" <samba at lists.samba.org> wrote:
> On Wed, Apr 23, 2025 at 07:49:12AM +0000, Rowland Penny via samba
> wrote:
> > On Tue, 22 Apr 2025 21:09:26 -0500
> > Dustin Howett via samba <samba at lists.samba.org> wrote:
> >
> > > - On Server 2025, it returns a failure instead:
> > > NT_STATUS_NO_SUCH_DOMAIN
> > >
> >
> > It seems that your DC cannot be found, so for a start, can you post
> > the /etc/resolv.conf, /etc/krb5.conf and smb.conf from the client.
> >
>
> Thanks Rowland (and sorry for the stray Fwd in the subject.)
>
> Just to note before I get into my config files: wbinfo (et al) report
> that the DC is reachable in both cases. Other domain operations such
> as user enumeration also work.
>
> On both members (2022 lab and 2025 lab):
>
> (Note that due to the identical lab setup, the DC hostname is the
> same. **These machines are in isolated networks and cannot see
> eachother**.)
>
> -- 8< snip --
>
> root at dom-test-member:~# wbinfo --ping-dc
> checking the NETLOGON for domain[DOMTEST] dc connection to
> "WIN-NAFS39H19IE.domtest.howett.net" succeeded
> root at dom-test-member:~# wbinfo -u DOMTEST\administrator
> DOMTEST\guest
> DOMTEST\krbtgt
> DOMTEST\dustin
> root at dom-test-member:~#
>
> ---
>
> root at dom2-test-member:~# wbinfo --ping-dc
> checking the NETLOGON for domain[DOMTEST] dc connection to
> "WIN-NAFS39H19IE.domtest.howett.net" succeeded
> root at dom2-test-member:~# wbinfo -u DOMTEST\administrator
> DOMTEST\guest
> DOMTEST\krbtgt
> DOMTEST\dustin
> root at dom2-test-member:~#
>
> -- 8< snip --
>
> Here are the config files you've asked for.
> krb5.conf and smb.conf are almost identical (I will call out the
> change between the two with a diff below.). resolv.conf only differs
> because of the lab subnet.
>
> --- resolv.conf (member of working 2022 domain) ---
> domain domtest.howett.net.
> nameserver 192.168.1.2
>
> --- resolv.conf (member of failing 2025 domain) ---
> domain domtest.howett.net.
> nameserver 192.168.2.2
>
> --- krb5.conf (both, identical) ---
> [libdefaults]
> default_realm = DOMTEST.HOWETT.NET
> dns_lookup_realm = false
> dns_lookup_kdc = true
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> rdns = false
> fcc-mit-ticketflags = true
>
Try this one instead:
[libdefaults]
default_realm = DOMTEST.HOWETT.NET
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
DOMTEST.HOWETT.NET = {
default_domain = domtest.howett.net
}
[domain_realm]
YOUR_COMPUTERS_SHORT_HOSTNAME_IN_UPPERCASE = DOMTEST.HOWETT.NET
Making the obvious change.
> --- smb.conf ---
>
> [global]
> log file = /var/log/samba/log.%m
> logging = file
> log level = 10
> map to guest = Bad User
Why do you have that set ? You do not seem to have 'guest ok' or
'public' in any shares.
> max log size = 1000
> obey pam restrictions = Yes
> pam password change = Yes
> panic action = /usr/share/samba/panic-action %d
> realm = DOMTEST.HOWETT.NET
> server role = member server
> unix password sync = Yes
Why 'unix password sync' ? you shouldn't have any users both in
/etc/passwd and AD.
> usershare allow guests = Yes
> workgroup = DOMTEST
> idmap config * : backend = tdb
> idmap config * : range = 1000-9999
> idmap config domtest:backend = ad
> idmap config domtest:schema_mode = rfc2307
> idmap config domtest:range = 500-599
> idmap config domtest:unix_nss_info = yes
Why such low numbers ? was this domain classic upgraded from an
NT4-style domain ?
Rowland
More information about the samba
mailing list