Re: [Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
- Date: Wed, 10 Apr 2019 19:41:36 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE
On Wed, 10 Apr 2019 19:47:27 +0200
Martin Krämer via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Hello All,
> I just discovered that the last I unfortunately I send only to Louis
> - not the list.
> So below are my answers included (and log outputs that were
> Never the less in meantime I have investigated further into SAMBA &
> winbind. I was able to setup samba dc based on previous instructions
> and guidelines successfully.
> I additionally setup a debian samba member with winbind.
> Unfortunately on that samba member I faced the issue of "Could not
> convert sid: NT_STATUS_NO_SUCH_USER"
> when trying to run "winbind -i <username>" while "winbind -n
> <username>" works correctly on the client.
> (On the DC both commands work correctly.)
> With some more research I found the following articles:
> But after reading these two articles I am left over with some
> questions I hope you can help me with:
> 1. Did I understand correctly that if I want to make sure winbind
> resolve is working correctly (independently of Samba user, Samba
> group or samba computer account) I have to set
> non overlapping uidNumber for users and computers and non
> overlapping gidNumber for groups?
If you use the winbind 'ad' backend, then your users must have a unique
uidNumber attribute and Domain Users (at least) a gidNumber attribute.
These attributes must be inside the range you set in smb.conf
You can however use the winbind 'rid' backend and this does not require
adding anything to AD.
> 2. Did I understand correctly that these uid- & gidNumbers cannot be
> set automatically/managed by samba-tool or any other linux out of box
Have a look at LAM, (LDAP Account Manager)
>3. Did I understand correctly that on windows the "Active
> directory users and Computers" (ADUC) sets automatically/manages the
> uid- & gidNumbers for users & groups,but not for computers?
> 4. Did I understand correctly that if I set the uid- & gidNumbers via
> samba-tool or ldbedit there is no verification if an uid- & gidNumber
> already exists?
> --- that was the understanding part - now the real questions :) ---
> 5. Assuimg 3&4 is correct, what happens if I create one user/group via
> samba-tool/ldbedit and another one via ADUC - does ADUC take care of
> not using the same uid-/gidNumber as of the user created/set within
> 6. Assuimg 2 is correct that means I have to take care about setting
> the uid- & gidNumbers (and no overlappings) by myself if not using
> ADUC (even with ADUC I have to take care about uidNumber of comptuers
> by myself - but thats only secondary).
> Never the less I know that on my domain controller I can receive a
> uid- & gidNumber of the user/group independently of this being set in
> AD by using "wbinfo --name-to-sid <myuser>" and using the resolved
> SID further in "wbinfo --sid-to-uid <SID>".
That would only work if the user or group already has a
> Based on this I could run a cronjob (just as a concept - maybe
> cronjob is not best solution) that sets the uid- & gidNumber recieved
> from the DC as a global AD uid- & gidNumber.
Don't think this will work.
> Would this make sure the uid- & gidNumbers for users, computers and
> groups do not overlap?
> 7. If 6 would be implemented - what happens if I have a second
> DC...will the uid- & gidNumbers recieved there differnetiate to the
> ones of DC1? (If they would differentiate I assume I would have to
> make sure the cronjob runs only on the FSMO role owner or?)
The RFC2307 attributes are stored in AD and as such are replicated to
> 8. If 7 would be implemented with the FSMO role owner only - what
> would happen if that FSMO role owner has gone/will go offline and I
> would have to online/offline transfer - not seize - the FSMO roles
> (and with them the cronjob)?
> Would the resolved uid- & gidNumbers still not overlap?
Don't think I need to answer this, mainly because what you are
proposing isn't going to work.
Why don't you use the attributes that ADUC uses, 'msSFU30MaxUidNumber'
and 'msSFU30MaxGidNumber', I am very sure that you will be able to add
'ypServ30.ldif' (it appears to be what IDMU used.
To unsubscribe from this list go to the following URL and read the