Web lists-archives.com

[Samba] Duplicate base-DN matches found for <SID=1-5-11> after classic upgrade


I've done samba-tool domain classicupgrade from Samba 3.0.9 NT-style domain to Samba 4.3.11 and have issues with SIDs.

I have an old SUSE 9 server with Samba 3.0.9 NT-style domain (only this PDC, no BDC).
I migrated this samba configuration to Ubuntu 16.04.1 with Samba 4.3.11 and it worked very well.
Then I did inplace upgrade to Samba AD DC domain using the following command:

samba-tool domain classicupgrade --debuglevel=10 --dbdir=/root/_pdc/dbdir/ --realm=<MY-REALM-NAME> --use-xattrs=yes --dns-backend=SAMBA_INTERNAL /root/_pdc/etc/smb.conf

The process went ok and new samba config started to run, but when I did:

smbclient -L localhost -U%

or with any other user I get NT_STATUS_OBJECT_NAME_NOT_FOUND.

So I put log level = 10 to smb.conf, restarted samba and run the same command.
While investigating megabytes of log file I found an error:

less /var/log/samba/log.smbd:

[2017/02/08 12:02:02.162067, 10, pid=1805, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
    scope: base
    expr: (!(objectClass=*)(distinguishedName=*))
    attr: memberOf
    control: 1.2.840.113556.1.4.529  crit:1  data:yes

... several lines with ldb_trace_request: (something)->search ...

[2017/02/08 12:02:02.162465, 10, pid=1805, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_response: DONE
  error: 32
  msg: Duplicate base-DN matches found for '<SID=S-1-5-11>'

The above message is defined in samba source code in  ./source4/dsdb/samdb/ldb_modules/extended_dn_in.c and there is a comment indicating the code is expecting to see this error but with SID S-1-5-17 and not with S-1-5-11.

I tried to use ldbsearch to extract all data from sam.ldb and idmap.ldb but I didn't know how to search it for duplicate SID.
And I'm not sure what to do about it - is it a bug in samba code, maybe in samba-tool? Or is it somehow related to samba 3 configuration, although I'm quite sure in my Samba 3 domain there was no such SID anywhere.

In consequence, I cannot do anything with Samba AD DC domain, cannot add new workstation, cannot login to smbclient, and so on.

Below you can investigate my Samba 3 global configuration section before upgrade:

        dos charset = CP852
        unix charset = UTF8
        display charset = UTF8
        workgroup = <MY-NETBIOS-DOMAIN-NAME>
        server string = <MY-HOST-NAME>
        passdb backend = tdbsam
        log file = /var/log/samba.log
        smb ports = 139
        logon script = logon_script.bat
        logon path =
        logon home =
        domain logons = Yes
        os level = 64
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Administrator,dc=<MY-NETBIOS-DOMAIN-NAME>
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap suffix = dc=<MY-NETBIOS-DOMAIN-NAME>
        invalid users = root
        admin users = <LIST-OF-ADMIN-USERS>
        hosts allow =
        nt acl support = No
        oplocks = No

Can anyone help me fix this?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba