Web lists-archives.com

Re: [Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE

On Wed, 10 Apr 2019 19:47:27 +0200
Martin Krämer via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello All,
> I just discovered that the last I unfortunately I send only to Louis
> - not the list.
> So below are my answers included (and log outputs that were
> requested).
> Never the less in meantime I have investigated further into SAMBA &
> winbind. I was able to setup samba dc based on previous instructions
> and guidelines successfully.
> I additionally setup a debian samba member with winbind.
> Unfortunately on that samba member I faced the issue of "Could not
> convert sid: NT_STATUS_NO_SUCH_USER"
> when trying to run "winbind -i <username>" while "winbind -n
> <username>" works correctly on the client.
> (On the DC both commands work correctly.)
> With some more research I found the following articles:
> https://wiki.samba.org/index.php/Idmap_config_ad
> and
> https://wiki.samba.org/index.php/Adding_users_with_samba_tool#Adding_Unix_attributes_to_a_Windows_user
> But after reading these two articles I am left over with some
> questions I hope you can help me with:
> 1. Did I understand correctly that if I want to make sure winbind
> resolve is working correctly (independently of Samba user, Samba
> group or samba computer account) I have to set
>    non overlapping uidNumber for users and computers and non
> overlapping gidNumber for groups?

If you use the winbind 'ad' backend, then your users must have a unique
uidNumber attribute and Domain Users (at least) a gidNumber attribute.
These attributes must be inside the range you set in smb.conf

You can however use the winbind 'rid' backend and this does not require
adding anything to AD.

> 2. Did I understand correctly that these uid- & gidNumbers cannot be
> set automatically/managed by samba-tool or any other linux out of box
> tool? 

Have a look at LAM, (LDAP Account Manager)

>3. Did I understand correctly that on windows the "Active
> directory users and Computers" (ADUC) sets automatically/manages the
> uid- & gidNumbers for users & groups,but not for computers?


> 4. Did I understand correctly that if I set the uid- & gidNumbers via
> samba-tool or ldbedit there is no verification if an uid- & gidNumber
> already exists?


> --- that was the understanding part - now the real questions :) ---
> 5. Assuimg 3&4 is correct, what happens if I create one user/group via
> samba-tool/ldbedit and another one via ADUC - does ADUC take care of
> not using the same uid-/gidNumber as of the user created/set within
> samba-tool/ldbedit?


> 6. Assuimg 2 is correct that means I have to take care about setting
> the uid- & gidNumbers (and no overlappings) by myself if not using
> ADUC (even with ADUC I have to take care about uidNumber of comptuers
> by myself - but thats only secondary).


>    Never the less I know that on my domain controller I can receive a
> uid- & gidNumber of the user/group independently of this being set in
> AD by using "wbinfo --name-to-sid <myuser>" and using the resolved
> SID further in "wbinfo --sid-to-uid <SID>".

That would only work if the user or group already has a
>    Based on this I could run a cronjob (just as a concept - maybe
> cronjob is not best solution) that sets the uid- & gidNumber recieved
> from the DC as a global AD uid- & gidNumber.

Don't think this will work.

>    Would this make sure the uid- & gidNumbers for users, computers and
> groups do not overlap?

Probably not.

> 7. If 6 would be implemented - what happens if I have a second
> DC...will the uid- & gidNumbers recieved there differnetiate to the
> ones of DC1? (If they would differentiate I assume I would have to
> make sure the cronjob runs only on the FSMO role owner or?)

The RFC2307 attributes are stored in AD and as such are replicated to
all DC's

> 8. If 7 would be implemented with the FSMO role owner only - what
> would happen if that FSMO role owner has gone/will go offline and I
> would have to online/offline transfer - not seize - the FSMO roles
> (and with them the cronjob)?
>     Would the resolved uid- & gidNumbers still not overlap?

Don't think I need to answer this, mainly because what you are
proposing isn't going to work.

Why don't you use the attributes that ADUC uses, 'msSFU30MaxUidNumber'
and 'msSFU30MaxGidNumber', I am very sure that you will be able to add
'ypServ30.ldif' (it appears to be what IDMU used.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba