Web lists-archives.com

Re: [Samba] Duplicate base-DN matches found for <SID=1-5-11> after classic upgrade




On Wed, 8 Feb 2017 12:44:41 +0000
Michal Staniszewski via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> I've done samba-tool domain classicupgrade from Samba 3.0.9 NT-style
> domain to Samba 4.3.11 and have issues with SIDs.
> 
> I have an old SUSE 9 server with Samba 3.0.9 NT-style domain (only
> this PDC, no BDC). I migrated this samba configuration to Ubuntu
> 16.04.1 with Samba 4.3.11 and it worked very well. Then I did inplace
> upgrade to Samba AD DC domain using the following command:
> 
> samba-tool domain classicupgrade --debuglevel=10
> --dbdir=/root/_pdc/dbdir/ --realm=<MY-REALM-NAME> --use-xattrs=yes
> --dns-backend=SAMBA_INTERNAL /root/_pdc/etc/smb.conf
> 
> The process went ok and new samba config started to run, but when I
> did:
> 
> smbclient -L localhost -U%
> 
> or with any other user I get NT_STATUS_OBJECT_NAME_NOT_FOUND.
> 
> So I put log level = 10 to smb.conf, restarted samba and run the same
> command. While investigating megabytes of log file I found an error:
> 
> less /var/log/samba/log.smbd:
> 
> [2017/02/08 12:02:02.162067, 10, pid=1805, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb:
> ldb_trace_request: SEARCH dn:
>     scope: base
>     expr: (!(objectClass=*)(distinguishedName=*))
>     attr: memberOf
>     control: 1.2.840.113556.1.4.529  crit:1  data:yes
> 
> ... several lines with ldb_trace_request: (something)->search ...
> 
> [2017/02/08 12:02:02.162465, 10, pid=1805, effective(0, 0), real(0,
> 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb:
> ldb_trace_response: DONE error: 32
>   msg: Duplicate base-DN matches found for '<SID=S-1-5-11>'
> 
> The above message is defined in samba source code
> in  ./source4/dsdb/samdb/ldb_modules/extended_dn_in.c and there is a
> comment indicating the code is expecting to see this error but with
> SID S-1-5-17 and not with S-1-5-11.
> 
> I tried to use ldbsearch to extract all data from sam.ldb and
> idmap.ldb but I didn't know how to search it for duplicate SID. And
> I'm not sure what to do about it - is it a bug in samba code, maybe
> in samba-tool? Or is it somehow related to samba 3 configuration,
> although I'm quite sure in my Samba 3 domain there was no such SID
> anywhere.
> 
> In consequence, I cannot do anything with Samba AD DC domain, cannot
> add new workstation, cannot login to smbclient, and so on.
> 
> Below you can investigate my Samba 3 global configuration section
> before upgrade:
> 
> [global]
>         dos charset = CP852
>         unix charset = UTF8
>         display charset = UTF8
>         workgroup = <MY-NETBIOS-DOMAIN-NAME>
>         server string = <MY-HOST-NAME>
>         passdb backend = tdbsam
>         log file = /var/log/samba.log
>         smb ports = 139
>         logon script = logon_script.bat
>         logon path =
>         logon home =
>         domain logons = Yes
>         os level = 64
>         preferred master = Yes
>         domain master = Yes
>         wins support = Yes
>         ldap admin dn = cn=Administrator,dc=<MY-NETBIOS-DOMAIN-NAME>
>         ldap idmap suffix = ou=Idmap
>         ldap machine suffix = ou=Computers
>         ldap suffix = dc=<MY-NETBIOS-DOMAIN-NAME>
>         invalid users = root
>         admin users = <LIST-OF-ADMIN-USERS>
>         hosts allow = 192.168.1.0/24
>         nt acl support = No
>         oplocks = No
> 
> Can anyone help me fix this?
> 
> Thanks,
> Michal
> 
> 

Lets start by you posting the smb.conf from the new AD DC ;-)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba