Web lists-archives.com

Re: [Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE




On Wed, 10 Apr 2019 19:47:27 +0200
Martin Krämer via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello All,
> 
> I just discovered that the last I unfortunately I send only to Louis
> - not the list.
> So below are my answers included (and log outputs that were
> requested).
> 
> Never the less in meantime I have investigated further into SAMBA &
> winbind. I was able to setup samba dc based on previous instructions
> and guidelines successfully.
> 
> I additionally setup a debian samba member with winbind.
> Unfortunately on that samba member I faced the issue of "Could not
> convert sid: NT_STATUS_NO_SUCH_USER"
> when trying to run "winbind -i <username>" while "winbind -n
> <username>" works correctly on the client.
> (On the DC both commands work correctly.)
> 
> With some more research I found the following articles:
> https://wiki.samba.org/index.php/Idmap_config_ad
> and
> https://wiki.samba.org/index.php/Adding_users_with_samba_tool#Adding_Unix_attributes_to_a_Windows_user
> 
> But after reading these two articles I am left over with some
> questions I hope you can help me with:
> 1. Did I understand correctly that if I want to make sure winbind
> resolve is working correctly (independently of Samba user, Samba
> group or samba computer account) I have to set
>    non overlapping uidNumber for users and computers and non
> overlapping gidNumber for groups?

If you use the winbind 'ad' backend, then your users must have a unique
uidNumber attribute and Domain Users (at least) a gidNumber attribute.
These attributes must be inside the range you set in smb.conf

You can however use the winbind 'rid' backend and this does not require
adding anything to AD.

> 2. Did I understand correctly that these uid- & gidNumbers cannot be
> set automatically/managed by samba-tool or any other linux out of box
> tool? 

Have a look at LAM, (LDAP Account Manager)

>3. Did I understand correctly that on windows the "Active
> directory users and Computers" (ADUC) sets automatically/manages the
> uid- & gidNumbers for users & groups,but not for computers?

Yes

> 4. Did I understand correctly that if I set the uid- & gidNumbers via
> samba-tool or ldbedit there is no verification if an uid- & gidNumber
> already exists?

Yes

> --- that was the understanding part - now the real questions :) ---
> 5. Assuimg 3&4 is correct, what happens if I create one user/group via
> samba-tool/ldbedit and another one via ADUC - does ADUC take care of
> not using the same uid-/gidNumber as of the user created/set within
> samba-tool/ldbedit?

No 

> 6. Assuimg 2 is correct that means I have to take care about setting
> the uid- & gidNumbers (and no overlappings) by myself if not using
> ADUC (even with ADUC I have to take care about uidNumber of comptuers
> by myself - but thats only secondary).

Yes

>    Never the less I know that on my domain controller I can receive a
> uid- & gidNumber of the user/group independently of this being set in
> AD by using "wbinfo --name-to-sid <myuser>" and using the resolved
> SID further in "wbinfo --sid-to-uid <SID>".

That would only work if the user or group already has a
uidNumber/gidNumber
 
>    Based on this I could run a cronjob (just as a concept - maybe
> cronjob is not best solution) that sets the uid- & gidNumber recieved
> from the DC as a global AD uid- & gidNumber.

Don't think this will work.

>    Would this make sure the uid- & gidNumbers for users, computers and
> groups do not overlap?

Probably not.

> 7. If 6 would be implemented - what happens if I have a second
> DC...will the uid- & gidNumbers recieved there differnetiate to the
> ones of DC1? (If they would differentiate I assume I would have to
> make sure the cronjob runs only on the FSMO role owner or?)

The RFC2307 attributes are stored in AD and as such are replicated to
all DC's

> 8. If 7 would be implemented with the FSMO role owner only - what
> would happen if that FSMO role owner has gone/will go offline and I
> would have to online/offline transfer - not seize - the FSMO roles
> (and with them the cronjob)?
>     Would the resolved uid- & gidNumbers still not overlap?

Don't think I need to answer this, mainly because what you are
proposing isn't going to work.

Why don't you use the attributes that ADUC uses, 'msSFU30MaxUidNumber'
and 'msSFU30MaxGidNumber', I am very sure that you will be able to add
'ypServ30.ldif' (it appears to be what IDMU used.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba