[Samba] Upgrade from 4.7 and Idmap check

Edson Tadeu Almeida da Silveira edson.tadeu at gmail.com
Thu Feb 6 13:33:58 UTC 2025 

> > > > 2- I the log.smbd:
> > >   >
> > >   >   [2025/02/06 06:55:04.483261, 1, traceid=3]
> > >   >
> > >   > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i
> > >   > receive:
> > >   >
> > >   >   ERROR(<class 'OSError'>): Could not access
> > >   > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable
> > >   > - [Errno 61] No data avaiable:
> > >   > '/usr/local/samba/var/locks/sysvol/mydom.local'
>  >
>  > >   Are you running the command as root ?
>  >
>  > Yes, i ran as root.
>
>  Then why did you get the error ?

I haven't been able to identify the reason yet.


> > > > However, this directory does exist on the system:
> > >   >
> > >   >   /usr/local/samba/var/locks/sysvol:
> > >   >   drwxrwx---+  3 3000008 MYDOM\domain admins    4096 Mar  9
> > >   > 2017 sysvol
> >
> > >   Who is '3000008' ? it should be 'root' as below.
> >
> > uid=3000008(MYDOM\domain admins) gid=3000008(MYDOM\domain admins)
> > groups=3000008(MYDOM\domain admins)
>
>  As I said, it should be root, but even so, why is it showing '3000008'
>  instead of 'MYDOM\domain admins' for the user, it is showing it for the
>  group, have you given Domain Admins a gidNumber attribute ?

getent group "Domain Admins"
MYDOM\domain admins:x:3000008:


There's something here that i will check.
In the Old DC, 'getent passwd 3000008' does not return anything,
but in the updated DC it returns: MYDOM\domain
admins:*:3000008:3000008::/home/CBMERJ/domain admins:/bin/false


> > > > # wbinfo -a user%MYPASS
> > > >  plaintext password authentication succeeded
> > > >  challenge/response password authentication succeeded
> >
> > > What OS is this ?
> >
> > It´s an Ubuntu Server 24.04.1
>
> Why build Samba yourself, you can get the latest packages from here:
>
> http://www.corpit.ru/mjt/packages/samba/

It's more exciting.  ;-)






Em qui., 6 de fev. de 2025 às 09:24, Rowland Penny via samba <
samba at lists.samba.org> escreveu:

> On Thu, 6 Feb 2025 09:04:21 -0300
> Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:
>
> > > > 2- I the log.smbd:
> > >   >
> > >   >   [2025/02/06 06:55:04.483261, 1, traceid=3]
> > >   >
> > >   > 3 - When issue the command: 'samba-tool ntacl sysvolcheck' i
> > >   > receive:
> > >   >
> > >   >   ERROR(<class 'OSError'>): Could not access
> > >   > /usr/local/samba/var/locks/sysvol/mydom.local: No data avaiable
> > >   > - [Errno 61] No data avaiable:
> > >   > '/usr/local/samba/var/locks/sysvol/mydom.local'
> >
> > >   Are you running the command as root ?
> >
> > Yes, i ran as root.
>
> Then why did you get the error ?
>
> >
> >
> > > > However, this directory does exist on the system:
> > >   >
> > >   >   /usr/local/samba/var/locks/sysvol:
> > >   >   drwxrwx---+  3 3000008 MYDOM\domain admins    4096 Mar  9
> > >   > 2017 sysvol
> >
> > >   Who is '3000008' ? it should be 'root' as below.
> >
> > uid=3000008(MYDOM\domain admins) gid=3000008(MYDOM\domain admins)
> > groups=3000008(MYDOM\domain admins)
>
> As I said, it should be root, but even so, why is it showing '3000008'
> instead of 'MYDOM\domain admins' for the user, it is showing it for the
> group, have you given Domain Admins a gidNumber attribute ?
>
> >
> >
> > > > 4 - When issue the command: 'samba-tool ntacl sysvolreset' i
> > > > receive:
> > > >
> > > >   idmap range not specified for domain '*'
> > > >   idmap range not specified for domain '*'
> > > >   idmap range not specified for domain '*'
> > > >   idmap range not specified for domain '*'
> > > >   idmap range not specified for domain '*'
> >
> > > But that doesn't, I have never seen that error when running
> > > sysvolreset, perhaps you should post your entire DCs smb.conf file.
> >
> > > > # wbinfo --name-to-sid=12345678
> > > >  S-1-5-21-1058002876-845724780-2777320708-32541 SID_USER (1)
> >
> > > Are you really using a number as a username ?
> >
> > Yes  #-)  It´s a corporate requirement.
>
> What ever floats your boat ;-)
>
> >
> >
> > > > # wbinfo -a user%MYPASS
> > > >  plaintext password authentication succeeded
> > > >  challenge/response password authentication succeeded
> >
> > > What OS is this ?
> >
> > It´s an Ubuntu Server 24.04.1
>
> Why build Samba yourself, you can get the latest packages from here:
>
> http://www.corpit.ru/mjt/packages/samba/
>
> >
> >
> > This is my smb.conf:
> >
> > [global]
> >         interfaces = lo eth0
> >         workgroup = MYDOM
> >         realm = MYDOM.LOCAL
> >         netbios name = HOSTNAME
> >         server role = active directory domain controller
> >         server services = -dns
> >
> >         ldap server require strong auth = no
> >
> >         ntlm auth = mschapv2-and-ntlmv2-only
> >
> >         tls enabled  = yes
> >         tls keyfile  = tls/hostname.key.pem
> >         tls certfile = tls/hostname.cert.pem
> >         tls cafile   =
> >
> >         allow dns updates = nonsecure
> >
> >         eventlog list = Application System Security SyslogLinux
> >
> >         rpc_server:spoolss = external
> >         rpc_daemon:spoolssd = fork
> >         printcap name = /dev/null
> >         load printers = no
> >         disable spoolss = yes
> >         printing = bsd
> >
> >         winbind enum users = yes
> >         winbind enum groups = yes
> >         winbind max clients = 4000
> >
> >         veto files = /*.inf/*.pif/*.lnk/*.{*}/
> >
> >         log level = 1 auth_audit:3 auth_json_audit:3
> >
> >         vfs objects = acl_xattr dfs_samba4
> >
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
>
> Where did the 'netlogon' share go ?
>
> Rowland
>
> PS: Please do not 'CC' me.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

More information about the samba mailing list