OmniOS CE r151038y SMB / Active Directory problems after upgrade fom 151030 [SOLVED]

[amp]

Hi all,

we have a file server with SMB shares on OmniOS CE r151038y with nappit 21.06a5. We are using it in Domain Mode.

The system was upgraded a week ago from 151030 and apparently the upgrade went well. Now, /var/adm/messages is spammed with messages like:

Nov 4 15:56:45 spectre last message repeated 2 times
Nov 4 15:56:46 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9977
Nov 4 15:56:46 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9971
Nov 4 15:56:46 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=0, status=-9977
Nov 4 15:56:47 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9971
Nov 4 15:56:48 spectre last message repeated 2 times
Nov 4 15:56:49 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9977
Nov 4 15:56:49 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9971
Nov 4 15:56:49 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=0, status=-9977
Nov 4 15:56:50 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9971
Nov 4 15:56:52 spectre last message repeated 6 times
Nov 4 15:56:52 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9977
Nov 4 15:56:52 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9971
Nov 4 15:56:52 spectre last message repeated 1 time
Nov 4 15:56:52 spectre smbd[11299]: [ID 617204 daemon.error] Can't get SID for ID=0 type=0, status=-9977

Additionally, i can't manage the folder permissions from Windows anymore with root user:



This is an Win7 but the same happens on a current Win10.

Also, when i try to set ACLs in the nappit WebGUI, there are no ephemeral user mappings shown anymore:



Do i have an authentication problem? The other Windows machines in the office do work as Domain Member, Authentication works. Also a Nextcloud Instance or a VPN Server authenticating against the AD Server do work. Until the last upgrade this was working.

How can i fix this? I tried restarting the server and also rejoining the domain.

Thank you for your help.

Best, Alex

 

[gea]

Can you check menu Users
Has user root (uid=0) a Windows SID (created via last passwd root) ?

and
The trivial ACL everyone@ is missing/ was deleted (results in the Windows SID entry instead everyone@)

optionally, reboot 151030 BE to be sure that this is working there,
If so redo the update to 038 then to 040

 

[amp]

Hi gea,

actually the root user has no SID. Do i have to set the password again?

I will see how it is when i reboot to 151030, maybe tomorrow, currently some users are working on files on the server.

I will let you know how it goes.

 

[amp]

Hi gea,

so i managed to reboot the server to the old BE 151030 and all is working fine. The root user has a Windows SID and also the AD groups and AD users on the folder ACLs are properly displayd.

I did a new upgrade to 151038-LTS and the same like described above happened. I had to rejoin the domain, the root user has no SID and so the SIDs on folders/files are not known and on the windows file/folder properties i can not gain access to the security information like shown in my first post. Then i upgraded further to 151040 but also no success, this even breaks ssh access as some ciphers are apparently not properly exchanged.

So for now i am back to 151030, but for access some data with nextcloud smb mount i would need SMB3 access.

Anything i can try to give the root user access on 151038/40 again? Do i have to set the local user passwd again? I can try these steps on the other BEs.
Tell me if you need more information or log files.

Looking forward to your reply. Alex

PS: actually on illumos there is a topic about this thing already: Topicbox

 

[gea]

You can try
- passwd root
- set an idmap any ad user -> user root

You may also try an update to 151036 where SMB 3.1.1 was added

You should ask also at Topicbox
The topic you linked is two years old.

 

[amp]

A quick follow-up on this: i was able to finally join the domain and have all Windows SIDs back.

Seems like in the end it has been a timesync issue, see this topic:

https://forums.servethehome.com/index.php?threads/omnios-r151038-lts-with-nappit-22-01b-sets-wrong-time-on-joining-an-active-directory-domain.35946/

 

[wallenford]

I am also suffering from this console output!!

It's a new box which had r151038ay & napp-it pro 22.03 installed, and
received zpool from an old omnios r151030
The box is used for File Server

after :
- idmap add winuser:administrator@XXXXXXXX.com unixuser:root
- idmap add "wingroup: Domain Admins@XXXXXXXX.com" unixgroup:root
- idmap flush
- passwd root

I can see SID in napp-it menu now.


I restarted the smb/server service and re-join to the AD server (which is an Zentyal 7.0 server running samba-ad-dc 4.11)

But "smbd.err: Can't get SID for ID=0 type=0, status=-9977"
still flooding both in /var/svc/log/network-smb-server\:default.log and Console.

====
Additional:

It seems the message won't output when there is no one connect to the box by smb sharing.
The message output become less after business hours and totally stopped in the midnight,
then started next day morning