Web lists-archives.com

[Samba] migrating NT-style domain SID-error


after migrating a samba NT-style domain from Samba 4.2.14-debian (debian
8.10) to samba 4.5.12-debian (debian 9.4)
We copied all tdb-files to the new machine plus the smb.conf plus
/etc/group. The old Samba has tdbsam as backend.
we use the same domain and hostname on the new DC as it was set on the
old system.
We are using bind9 as DNS-backend in the new system.
The "samba-tool clasicupgrade" was running without errormessages. DNS
ist running. We can resolve all host- and
service-records. We get a list of all users and groups with "wbinfo -u"
and "wbinfo -g". We changed nsswitch.conf
passwd:         compat winbind
group:          compat winbind
The package libnss-winbind and libpam-winbind are installed, but we got
no output with "getent passwd <user>".
Then we tried:
root@addc:~# wbinfo -n user
S-1-5-21-2513443738-1937210514-736184894-1173 SID_USER (1)

root@addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-1173
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2513443738-1937210514-736184894-1173 to uid
As you can see it is not possible to get a UID for a migrated user. Then
we tested the same with the users krbtgt and
administrator and we got the following result:
root@addc:~# wbinfo -n krbtgt
S-1-5-21-2513443738-1937210514-736184894-502 SID_USER (1)

root@addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-502
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2513443738-1937210514-736184894-502 to uid

root@addc:~# wbinfo -n administrator
S-1-5-21-2513443738-1937210514-736184894-500 SID_US

root@addc:~# wbinfo -S S-1-5-21-2513443738-1937210514-736184894-500

We could not get an output from "smbclient -L hostname" we got the
following errormessage:
root@addc:~# smbclient -L addc
Enter root's password:
session setup failed: NT_STATUS_INVALID_SID
With a higer debug-level we got the follwing message ad the end:
root@addc:~# smbclient -L addc -d 10
SPNEGO login failed: Indicates the SID structure is not valid.
session setup failed: NT_STATUS_INVALID_SID


Then we checked the local sid for the DC and get the following result:
root@addc:~# net getlocalsid
Can't fetch domain SID for name: ADDC

But we get the domain-SID:
root@addc:~# net getdomainsid
SID for domain EXAMPLE is: S-1-5-21-2513443738-1937210514-736184894

What we found:
In secrets.tdb (old Samba) is the hostname of the PDC different to the
hostname given by the command "hostname". We checked
with "net getlocalsid" the sid on the old system and got exactly the
same result as we got on the new Samba4-ADDC.
I think that someone has changed the hostname and created the problem.
Then we took the old hostname (the one we found in
secrets.tdb) as the new hostname and NetBIOS-Name and try to migrate,
but with the same result :-(.

Any hint what we can do or where we could look. Setting up a new domain
can't be the solution, to many users to many hosts
and to many profiles on windows-clients.

Thanks for any usefull help


Attachment: signature.asc
Description: OpenPGP digital signature

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba