Web lists-archives.com

[Samba] migrating NT-style domain SID-error





Hello,

after migrating a samba NT-style domain from Samba 4.2.14-debian (debian
8.10) to samba 4.5.12-debian (debian 9.4)
We copied all tdb-files to the new machine plus the smb.conf plus
/etc/group. The old Samba has tdbsam as backend.
we use the same domain and hostname on the new DC as it was set on the
old system.
We are using bind9 as DNS-backend in the new system.
The "samba-tool clasicupgrade" was running without errormessages. DNS
ist running. We can resolve all host- and
service-records. We get a list of all users and groups with "wbinfo -u"
and "wbinfo -g". We changed nsswitch.conf
to:
---------
passwd:         compat winbind
group:          compat winbind
---------
The package libnss-winbind and libpam-winbind are installed, but we got
no output with "getent passwd <user>".
Then we tried:
------------
root@addc:~# wbinfo -n user
S-1-5-21-2513443738-1937210514-736184894-1173 SID_USER (1)

root@addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-1173
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2513443738-1937210514-736184894-1173 to uid
------------
As you can see it is not possible to get a UID for a migrated user. Then
we tested the same with the users krbtgt and
administrator and we got the following result:
-----------
root@addc:~# wbinfo -n krbtgt
S-1-5-21-2513443738-1937210514-736184894-502 SID_USER (1)

root@addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-502
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2513443738-1937210514-736184894-502 to uid

root@addc:~# wbinfo -n administrator
S-1-5-21-2513443738-1937210514-736184894-500 SID_US

root@addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-500
0
-----------

We could not get an output from "smbclient -L hostname" we got the
following errormessage:
----------
root@addc:~# smbclient -L addc
Enter root's password:
session setup failed: NT_STATUS_INVALID_SID
----------
With a higer debug-level we got the follwing message ad the end:
----------
root@addc:~# smbclient -L addc -d 10
.
.
.
SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID

----------

Then we checked the local sid for the DC and get the following result:
----------
root@addc:~# net getlocalsid
Can't fetch domain SID for name: ADDC
----------

But we get the domain-SID:
----------
root@addc:~# net getdomainsid
SID for domain EXAMPLE is: S-1-5-21-2513443738-1937210514-736184894
----------

What we found:
In secrets.tdb (old Samba) is the hostname of the PDC different to the
hostname given by the command "hostname". We checked
with "net getlocalsid" the sid on the old system and got exactly the
same result as we got on the new Samba4-ADDC.
I think that someone has changed the hostname and created the problem.
Then we took the old hostname (the one we found in
secrets.tdb) as the new hostname and NetBIOS-Name and try to migrate,
but with the same result :-(.

Any hint what we can do or where we could look. Setting up a new domain
can't be the solution, to many users to many hosts
and to many profiles on windows-clients.

Thanks for any usefull help

Stefan

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba