[Samba] winbind pam trouble

[Rowland penny]

On 12/04/16 08:03, lists wrote:
> Some other observations in log.winbindd-idmap:
>
>> [2016/04/12 08:37:54.028456,  1] 
>> ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
>>   Could not get unix ID for SID 
>> S-1-5-21-90839350-987482234-868425949-133237
>> [2016/04/12 08:45:57.051863,  1] 
>> ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
>>   Could not get unix ID for SID 
>> S-1-5-21-90839350-987482234-868425949-133222
>
> This happens for 30 different SID's: some with a long last RID:
>
>> Could not get unix ID for SID 
>> S-1-5-21-90839350-987482234-868425949-133237
>> Could not get unix ID for SID 
>> S-1-5-21-90839350-987482234-868425949-132270
>> Could not get unix ID for SID 
>> S-1-5-21-90839350-987482234-868425949-132722
>
> and with shorter RID's like
>> Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-501
>> Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-502
>> Could not get unix ID for SID S-1-5-21-90839350-987482234-868425949-517
>
> However, and looking at an ldif dump of our CN=Users, I can't find 
> these numbers...?
>
> Anyone..?
>
> MJ
>

You have real trouble if you don't have the last three :-D

They are well known SIDs

501 is Guest
502 is krbtgt
517 is Cert Publishers

Try opening a terminal on the DC and run this:

ldbsearch -H /usr/local/samba/private/sam.ldb 
'(objectsid=S-1-5-21-90839350-987482234-868425949-501)'

This should display the AD object for the SID, provided you have 
compiled Samba yourself or have installed ldb-tools and changed 
'/usr/local/samba/private' for the path to your sam.ldb.

Repeat for the other SIDs.

Rowland