[Samba] Upgrade from 4.7 and Idmap check

Rowland Penny rpenny at samba.org
Thu Feb 6 11:29:47 UTC 2025 

On Thu, 6 Feb 2025 07:32:48 -0300
Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org> wrote:

> Good morning everybody.
> 
> I searched the list here but I haven't found anything close to my
> problem yet.
> 
> I'm using 2 DCs Samba 4.7 and now planning to upgrade to 4.21.

So, not in a rush then, seeing as 4.7.x went EOL from the Samba point
of view nearly 6 years ago.

> 
> At some point I used the winbind configuration in smb.conf but, if I
> understand correctly, it seems that in newer versions, this
> configuration is not necessary in DC, so, i removed in this upgrade
> process:

You should never have had any 'idmap config' lines in a Samba AD DCs
smb.conf

> 
>   idmap_ldb:use rfc2307=yes
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config MYDOM:backend = ad
>   idmap config MYDOM:schema_mode = rfc2307
>   idmap config MYDOM:range = 3000000-4000000
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind max clients = 4000
> 
> Then. I simulated an inplace upgrade of samba from 4.7 to 4.21.
> Apparently everything went well in the test environment until now,
> but I noticed some details that I would like to know if this could be
> a problem and, if so, how I could solve it.
> 
> 1 -  In the log.winbindd:
> 
>  [2025/02/06 06:55:04.483261, 1, traceid=3]
> ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_
>     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>   [2025/02/06 06:57:17.530873, 1, traceid=7]
> ../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroup_recv_
>     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>   [2025/02/06 06:58:47.110201, 1, traceid=13]
> ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_
>     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

I wouldn't worry about that, it is just stating a fact rather than an
error.

> 
> 2- I the log.smbd:
> 
>   [2025/02/06 06:55:04.483261, 1, traceid=3]
> 
> 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i receive:
> 
>   ERROR(<class 'OSError'>): Could not access
> /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable -
> [Errno 61] No data avaiable:
> '/usr/local/samba/var/locks/sysvol/mydom.local'

Are you running the command as root ?

> 
> However, this directory does exist on the system:
> 
>   /usr/local/samba/var/locks/sysvol:
>   drwxrwx---+  3 3000008 MYDOM\domain admins    4096 Mar  9  2017
> sysvol

Who is '3000008' ? it should be 'root' as below.

> 
>   /usr/local/samba/var/locks/sysvol/mydom.local:
>   drwxrwx---+ 4 root    BUILTIN\administrators 4096 Nov 21  2017
> mydom.local.local

That looks correct ownership and permissions wise.

> 
> 4 - When issue the command: 'samba-tool ntacl sysvolreset' i receive:
> 
>   idmap range not specified for domain '*'
>   idmap range not specified for domain '*'
>   idmap range not specified for domain '*'
>   idmap range not specified for domain '*'
>   idmap range not specified for domain '*'

But that doesn't, I have never seen that error when running
sysvolreset, perhaps you should post your entire DCs smb.conf file.

> 
> 
> I did some tests:
> 
> # wbinfo -i user
>  MYDOM\user:*:3020070:100::/home/MYDOM/user:/bin/false
> 
> # wbinfo --name-to-sid=1833600
>  S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)

Are you really using a number as a username ?

> 
> # wbinfo --uid-to-sid=3020070
>  S-1-5-21-1058002876-845724780-2777320708-32541
> 
> # wbinfo -a user%MYPASS
>  plaintext password authentication succeeded
>  challenge/response password authentication succeeded

What OS is this ?

Rowland

More information about the samba mailing list