[Samba] Upgrade from 4.7 and Idmap check

Rowland Penny rpenny at samba.org
Thu Feb 6 12:23:43 UTC 2025 

On Thu, 6 Feb 2025 09:04:21 -0300
Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:

> > > 2- I the log.smbd:
> >   >
> >   >   [2025/02/06 06:55:04.483261, 1, traceid=3]
> >   >
> >   > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i
> >   > receive:
> >   >
> >   >   ERROR(<class 'OSError'>): Could not access
> >   > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable
> >   > - [Errno 61] No data avaiable:
> >   > '/usr/local/samba/var/locks/sysvol/mydom.local'
> 
> >   Are you running the command as root ?
> 
> Yes, i ran as root.

Then why did you get the error ?

> 
> 
> > > However, this directory does exist on the system:
> >   >
> >   >   /usr/local/samba/var/locks/sysvol:
> >   >   drwxrwx---+  3 3000008 MYDOM\domain admins    4096 Mar  9
> >   > 2017 sysvol
> 
> >   Who is '3000008' ? it should be 'root' as below.
> 
> uid=3000008(MYDOM\domain admins) gid=3000008(MYDOM\domain admins)
> groups=3000008(MYDOM\domain admins)

As I said, it should be root, but even so, why is it showing '3000008'
instead of 'MYDOM\domain admins' for the user, it is showing it for the
group, have you given Domain Admins a gidNumber attribute ?

> 
> 
> > > 4 - When issue the command: 'samba-tool ntacl sysvolreset' i
> > > receive:
> > >
> > >   idmap range not specified for domain '*'
> > >   idmap range not specified for domain '*'
> > >   idmap range not specified for domain '*'
> > >   idmap range not specified for domain '*'
> > >   idmap range not specified for domain '*'
> 
> > But that doesn't, I have never seen that error when running
> > sysvolreset, perhaps you should post your entire DCs smb.conf file.
> 
> > > # wbinfo --name-to-sid=12345678
> > >  S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)
> 
> > Are you really using a number as a username ?
> 
> Yes  #-)  It´s a corporate requirement.

What ever floats your boat ;-)

> 
> 
> > > # wbinfo -a user%MYPASS
> > >  plaintext password authentication succeeded
> > >  challenge/response password authentication succeeded
> 
> > What OS is this ?
> 
> It´s an Ubuntu Server 24.04.1

Why build Samba yourself, you can get the latest packages from here:

http://www.corpit.ru/mjt/packages/samba/

> 
> 
> This is my smb.conf:
> 
> [global]
>         interfaces = lo eth0
>         workgroup = MYDOM
>         realm = MYDOM.LOCAL
>         netbios name = HOSTNAME
>         server role = active directory domain controller
>         server services = -dns
> 
>         ldap server require strong auth = no
> 
>         ntlm auth = mschapv2-and-ntlmv2-only
> 
>         tls enabled  = yes
>         tls keyfile  = tls/hostname.key.pem
>         tls certfile = tls/hostname.cert.pem
>         tls cafile   =
> 
>         allow dns updates = nonsecure
> 
>         eventlog list = Application System Security SyslogLinux
> 
>         rpc_server:spoolss = external
>         rpc_daemon:spoolssd = fork
>         printcap name = /dev/null
>         load printers = no
>         disable spoolss = yes
>         printing = bsd
> 
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind max clients = 4000
> 
>         veto files = /*.inf/*.pif/*.lnk/*.{*}/
> 
>         log level = 1 auth_audit:3 auth_json_audit:3
> 
>         vfs objects = acl_xattr dfs_samba4
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No

Where did the 'netlogon' share go ?

Rowland

PS: Please do not 'CC' me.

More information about the samba mailing list