[Samba] Upgrade from 4.7 and Idmap check

Edson Tadeu Almeida da Silveira edson.tadeu at gmail.com
Thu Feb 6 12:04:21 UTC 2025 

> > 2- I the log.smbd:
>   >
>   >   [2025/02/06 06:55:04.483261, 1, traceid=3]
>   >
>   > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i receive:
>   >
>   >   ERROR(<class 'OSError'>): Could not access
>   > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable -
>   > [Errno 61] No data avaiable:
>   > '/usr/local/samba/var/locks/sysvol/mydom.local'

>   Are you running the command as root ?

Yes, i ran as root.


> > However, this directory does exist on the system:
>   >
>   >   /usr/local/samba/var/locks/sysvol:
>   >   drwxrwx---+  3 3000008 MYDOM\domain admins    4096 Mar  9  2017
>   > sysvol

>   Who is '3000008' ? it should be 'root' as below.

uid=3000008(MYDOM\domain admins) gid=3000008(MYDOM\domain admins)
groups=3000008(MYDOM\domain admins)


> > 4 - When issue the command: 'samba-tool ntacl sysvolreset' i receive:
> >
> >   idmap range not specified for domain '*'
> >   idmap range not specified for domain '*'
> >   idmap range not specified for domain '*'
> >   idmap range not specified for domain '*'
> >   idmap range not specified for domain '*'

> But that doesn't, I have never seen that error when running
> sysvolreset, perhaps you should post your entire DCs smb.conf file.

> > # wbinfo --name-to-sid=12345678
> >  S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)

> Are you really using a number as a username ?

Yes  #-)  It´s a corporate requirement.


> > # wbinfo -a user%MYPASS
> >  plaintext password authentication succeeded
> >  challenge/response password authentication succeeded

> What OS is this ?

It´s an Ubuntu Server 24.04.1


This is my smb.conf:

[global]
        interfaces = lo eth0
        workgroup = MYDOM
        realm = MYDOM.LOCAL
        netbios name = HOSTNAME
        server role = active directory domain controller
        server services = -dns

        ldap server require strong auth = no

        ntlm auth = mschapv2-and-ntlmv2-only

        tls enabled  = yes
        tls keyfile  = tls/hostname.key.pem
        tls certfile = tls/hostname.cert.pem
        tls cafile   =

        allow dns updates = nonsecure

        eventlog list = Application System Security SyslogLinux

        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork
        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd

        winbind enum users = yes
        winbind enum groups = yes
        winbind max clients = 4000

        veto files = /*.inf/*.pif/*.lnk/*.{*}/

        log level = 1 auth_audit:3 auth_json_audit:3

        vfs objects = acl_xattr dfs_samba4

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No




Em qui., 6 de fev. de 2025 às 08:30, Rowland Penny via samba <
samba at lists.samba.org> escreveu:

> On Thu, 6 Feb 2025 07:32:48 -0300
> Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org> wrote:
>
> > Good morning everybody.
> >
> > I searched the list here but I haven't found anything close to my
> > problem yet.
> >
> > I'm using 2 DCs Samba 4.7 and now planning to upgrade to 4.21.
>
> So, not in a rush then, seeing as 4.7.x went EOL from the Samba point
> of view nearly 6 years ago.
>
> >
> > At some point I used the winbind configuration in smb.conf but, if I
> > understand correctly, it seems that in newer versions, this
> > configuration is not necessary in DC, so, i removed in this upgrade
> > process:
>
> You should never have had any 'idmap config' lines in a Samba AD DCs
> smb.conf
>
> >
> >   idmap_ldb:use rfc2307=yes
> >   idmap config *:backend = tdb
> >   idmap config *:range = 70001-80000
> >   idmap config MYDOM:backend = ad
> >   idmap config MYDOM:schema_mode = rfc2307
> >   idmap config MYDOM:range = 3000000-4000000
> >   winbind nss info = rfc2307
> >   winbind trusted domains only = no
> >   winbind use default domain = yes
> >   winbind enum users = yes
> >   winbind enum groups = yes
> >   winbind max clients = 4000
> >
> > Then. I simulated an inplace upgrade of samba from 4.7 to 4.21.
> > Apparently everything went well in the test environment until now,
> > but I noticed some details that I would like to know if this could be
> > a problem and, if so, how I could solve it.
> >
> > 1 -  In the log.winbindd:
> >
> >  [2025/02/06 06:55:04.483261, 1, traceid=3]
> > ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_
> >     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> >   [2025/02/06 06:57:17.530873, 1, traceid=7]
> > ../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroup_recv_
> >     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> >   [2025/02/06 06:58:47.110201, 1, traceid=13]
> > ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv_
> >     Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>
> I wouldn't worry about that, it is just stating a fact rather than an
> error.
>
> >
> > 2- I the log.smbd:
> >
> >   [2025/02/06 06:55:04.483261, 1, traceid=3]
> >
> > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i receive:
> >
> >   ERROR(<class 'OSError'>): Could not access
> > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable -
> > [Errno 61] No data avaiable:
> > '/usr/local/samba/var/locks/sysvol/mydom.local'
>
> Are you running the command as root ?
>
> >
> > However, this directory does exist on the system:
> >
> >   /usr/local/samba/var/locks/sysvol:
> >   drwxrwx---+  3 3000008 MYDOM\domain admins    4096 Mar  9  2017
> > sysvol
>
> Who is '3000008' ? it should be 'root' as below.
>
> >
> >   /usr/local/samba/var/locks/sysvol/mydom.local:
> >   drwxrwx---+ 4 root    BUILTIN\administrators 4096 Nov 21  2017
> > mydom.local.local
>
> That looks correct ownership and permissions wise.
>
> >
> > 4 - When issue the command: 'samba-tool ntacl sysvolreset' i receive:
> >
> >   idmap range not specified for domain '*'
> >   idmap range not specified for domain '*'
> >   idmap range not specified for domain '*'
> >   idmap range not specified for domain '*'
> >   idmap range not specified for domain '*'
>
> But that doesn't, I have never seen that error when running
> sysvolreset, perhaps you should post your entire DCs smb.conf file.
>
> >
> >
> > I did some tests:
> >
> > # wbinfo -i user
> >  MYDOM\user:*:3020070:100::/home/MYDOM/user:/bin/false
> >
> > # wbinfo --name-to-sid=12345678
> >  S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)
>
> Are you really using a number as a username ?
>
> >
> > # wbinfo --uid-to-sid=3020070
> >  S-1-5-21-1058002876-845724780-2777320708-32541
> >
> > # wbinfo -a user%MYPASS
> >  plaintext password authentication succeeded
> >  challenge/response password authentication succeeded
>
> What OS is this ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

More information about the samba mailing list