[Samba] Duplicate base-DN matches found for <SID=1-5-11> after classic upgrade
- Date: Wed, 8 Feb 2017 12:44:41 +0000
- From: Michal Staniszewski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Duplicate base-DN matches found for <SID=1-5-11> after classic upgrade
I've done samba-tool domain classicupgrade from Samba 3.0.9 NT-style domain to Samba 4.3.11 and have issues with SIDs.
I have an old SUSE 9 server with Samba 3.0.9 NT-style domain (only this PDC, no BDC).
I migrated this samba configuration to Ubuntu 16.04.1 with Samba 4.3.11 and it worked very well.
Then I did inplace upgrade to Samba AD DC domain using the following command:
samba-tool domain classicupgrade --debuglevel=10 --dbdir=/root/_pdc/dbdir/ --realm=<MY-REALM-NAME> --use-xattrs=yes --dns-backend=SAMBA_INTERNAL /root/_pdc/etc/smb.conf
The process went ok and new samba config started to run, but when I did:
smbclient -L localhost -U%
or with any other user I get NT_STATUS_OBJECT_NAME_NOT_FOUND.
So I put log level = 10 to smb.conf, restarted samba and run the same command.
While investigating megabytes of log file I found an error:
[2017/02/08 12:02:02.162067, 10, pid=1805, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
ldb: ldb_trace_request: SEARCH
control: 1.2.840.1135126.96.36.1999 crit:1 data:yes
... several lines with ldb_trace_request: (something)->search ...
[2017/02/08 12:02:02.162465, 10, pid=1805, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
ldb: ldb_trace_response: DONE
msg: Duplicate base-DN matches found for '<SID=S-1-5-11>'
The above message is defined in samba source code in ./source4/dsdb/samdb/ldb_modules/extended_dn_in.c and there is a comment indicating the code is expecting to see this error but with SID S-1-5-17 and not with S-1-5-11.
I tried to use ldbsearch to extract all data from sam.ldb and idmap.ldb but I didn't know how to search it for duplicate SID.
And I'm not sure what to do about it - is it a bug in samba code, maybe in samba-tool? Or is it somehow related to samba 3 configuration, although I'm quite sure in my Samba 3 domain there was no such SID anywhere.
In consequence, I cannot do anything with Samba AD DC domain, cannot add new workstation, cannot login to smbclient, and so on.
Below you can investigate my Samba 3 global configuration section before upgrade:
dos charset = CP852
unix charset = UTF8
display charset = UTF8
workgroup = <MY-NETBIOS-DOMAIN-NAME>
server string = <MY-HOST-NAME>
passdb backend = tdbsam
log file = /var/log/samba.log
smb ports = 139
logon script = logon_script.bat
logon path =
logon home =
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=<MY-NETBIOS-DOMAIN-NAME>
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=<MY-NETBIOS-DOMAIN-NAME>
invalid users = root
admin users = <LIST-OF-ADMIN-USERS>
hosts allow = 192.168.1.0/24
nt acl support = No
oplocks = No
Can anyone help me fix this?
To unsubscribe from this list go to the following URL and read the