Problem: The server account of the pdc was overwritten ind Windows AD

scheinig · April 28, 2023, 2:23pm

Problem:

By accident the server account was overwritten in AD.
After restoring, winbind still not working properly:

wbinfo -S S-1-5-21-2562388649-2653757102-2982837019-500
 `WBC_ERR_DOMAIN_NOT_FOUND`

or

smbclient //$(hostname -f)/print$ -U Administrator
`WBC_ERR_DOMAIN_NOT_FOUND`

log.winbind

[2023/03/08 15:45:31.702554, 10, pid=1139, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/wb_sids2xids.c:154(wb_sids2xids_send)
SID 0: S-1-5-21-2562388649-2653757102-2982837019-500
[2023/03/08 15:45:31.702590, 10, pid=1139, effective(0, 0), real(0, 0)] …/…/source3/lib/idmap_cache.c:58(idmap_cache_find_sid2unixid)
Parsing value for key [IDMAP/SID2XID/S-1-5-21-2562388649-2653757102-2982837019-500]: value=[-1:N]
[2023/03/08 15:45:31.702605, 10, pid=1139, effective(0, 0), real(0, 0)] …/…/source3/lib/idmap_cache.c:77(idmap_cache_find_sid2unixid)
Parsing value for key [IDMAP/SID2XID/S-1-5-21-2562388649-2653757102-2982837019-500]: id=[4294967295], endptr=[:N]
[2023/03/08 15:45:31.702625, 10, pid=1139, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:805(process_request_done)
process_request_done: [wbinfo(12857):SIDS_TO_XIDS]: NT_STATUS_OK
[2023/03/08 15:45:31.702651, 10, pid=1139, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUN
c:849(process_request_written)
Could not convert sid S-1-5-21-2562388649-2653757102-2982837019-500 to uid
process_request_written: [wbinfo(12857):SIDS_TO_XIDS]: delivered response to client
[2023/03/08 15:45:31.703024, 6, pid=1139, effective(0, 0), real(0, 0), class=winbind] …/…/source3/winbindd/winbindd.c:964(winbind_client_request_read)
closing socket 23, client exited

Investigation:

During restart of the winbindd you see Invalid Credentials in log.winbindd-idmap

[2023/03/09 20:16:07.148360, 10, pid=32695, effective(0, 0), real(0, 0)] …/…/source3/lib/smbldap.c:1014(smbldap_connect_system)
ldap_connect_system: Binding to ldap server ldap://srv01.schein.ig:7389 ldap://srv04.schein.ig:7389 as “cn=srv01,cn=dc,cn=computers,dc=schein,dc=ig”
[2023/03/09 20:16:07.157052, 0, pid=32695, effective(0, 0), real(0, 0)] …/…/source3/lib/smbldap.c:1059(smbldap_connect_system)
failed to bind to server ldap://srv01.schein.ig:7389 ldap://srv04.schein.ig:7389 with dn=“cn=srv01,cn=dc,cn=computers,dc=schein.ig=de” Error: Invalid credentials
(unknown)
[2023/03/09 20:16:07.157199, 1, pid=32695, effective(0, 0), real(0, 0)] …/…/source3/lib/smbldap.c:1272(get_cached_ldap_connect)
Connection to LDAP server failed for the 1 try!

Check credentials in secrets.tdb

tdbdump /var/lib/samba/private/secrets.tdb | grep -B1 " = \"$(cat /etc/machine.secret)"'\\00"$'

Solution:

Set the correct machine.secret in the database:

net idmap set secret '*' "$(cat /etc/machine.secret)"  ## für IDMAP_LDAP_*
/usr/bin/smbpasswd -w "$(cat /etc/machine.secret)"  ## für LDAP_BIND_PW

root@srv01:~# net cache flush; wbinfo -S S-1-5-21-2562388649-2653757102-2982837019-500
    2002

system · April 29, 2023, 2:24pm

This topic was automatically closed after 24 hours. New replies are no longer allowed.