Description of problem: I have in userdb LDAP backend(multi-master replicas) this one user (and many others): (raw ldap): # user243, People, xxzz.tech dn: uid=user243,ou=People,dc=xxzz,dc=tech objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount uid: user243 homeDirectory: /home/user243 loginShell: /bin/bash sambaLogonTime: 0 sambaLogoffTime: 2147483647 gecos: Some User sambaPwdCanChange: 2147483647 mail: user243 sn: User cn: Some User givenName: Some displayName: Some User gidNumber: 513 uidNumber: 1177 sambaSID: S-1-5-21-2925918746-2661067204-1764633667-2002 sambaLMPassword: ED84DDFFD9A97C2ECA922D8A7EE0CA0B sambaAcctFlags: [U] sambaNTPassword: 079073B583031A7AAE5D5C2D049FC05A userPassword:: e1NTSEF9TEl6QXB1TEpkNDZ6N1hxWFFiNFhTWUtxbXZKcmMwOTU= shadowLastChange: 17038 shadowWarning: 4 shadowExpire: 17449 shadowMax: 99999 sambaKickoffTime: 1507597200 sambaPwdLastSet: 1476091342 sambaPwdMustChange: 2147483647 shadowMin: 99999 Version-Release number of selected component (if applicable): server (4.2.10 which i BDC) fails, smbclient locally: SPNEGO login failed: Indicates the SID structure is not valid. session setup failed: NT_STATUS_INVALID_SID pdbedit -v ... Primary group S-1-5-21-2925918746-2661067204-1764633667-513 for user user243 is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for user243 ..but remaining info gets shown. Another server (3.6.23-36.el6_8) which is PDC (it's not AD setup) has no problems whatsoever. Before you ask for logs, when I do smbclient or pdbedit on failing (4.2.) server then nothing gets logged, even with level 10 of debugging. Only journald logs: 0, pid=37787, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:494(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INVALID_SID' faulty samba: $ net getdomainsid SID for local machine RIDER is: S-1-5-21-2925918746-2661067204-3920627605 SID for domain XXZZ_TEC is: S-1-5-21-2925918746-2661067204-1764633667 good samba $ net getdomainsid SID for local machine TUNA is: S-1-5-21-2925918746-2661067204-4277062323 SID for domain XXZZ_TEC is: S-1-5-21-2925918746-2661067204-1764633667 How reproducible: not really sure, have a ldap backend to 3.x version and see that 4.2.x won't work? Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
server that fails (4.2.10 which i BDC) has - domain logons = no - I've tried samba mailing hoping to grasp complete meaning of this param, but without any response there. If this is mis-configuration then trouble it is not describe anywhere. If I change above to "yes" then problem does not occur. I don't know whether it's a bug, some compatibility issues between versions or...
From the smb.conf manpage: domain logons (G) If set to yes, the Samba server will provide the netlogon service for Windows 9X network logons for the workgroup it is in. This will also cause the Samba server to act as a domain controller for NT4 style domain services. If you disable 'domain logons' then users will not be able to authenticate with this NT4 DC. If you want that users are able to authenticate, you need to enable it.