[Samba] The security id structure is invalid

Rowland Penny rpenny at samba.org
Sat Oct 8 17:14:02 UTC 2016 

See inline comments:

On Sat, 8 Oct 2016 13:00:22 -0400
Ron GarcĂ­a-Vidal via samba <samba at lists.samba.org> wrote:

> On 10/8/16 10:32 AM, Rowland Penny via samba wrote:
> > Please post your smb.conf from the DC, the 'samba' deamon should
> > start winbind, if you run 'ps ax | grep winbind', you should get
> > something like this:
> Sorry, Samba wasn't running when I tried that command. Here's the
> output:
> 
> wbinfo --sid-to-gid=S-1-5-21-1319907214-2951884047-2640289736-512
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-1319907214-2951884047-2640289736-512
> to gid
> 
> Here is my smb.conf:
> 
> # Global parameters
> [global]
>          workgroup = MYDOMAIN
>          realm = DC1.MYDOMAIN.NET
>          netbios name = SAMBASERVER
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate
>          time server = yes
>          ntp signd socket directory
> = /usr/local/samba/var/lib/ntp_signd/ idmap_ldb:use rfc2307 = yes
> #       debug level = 9
> 

You might as well remove the next 7 lines, they do nothing on a DC

> # Winbind settings
> idmap config * : backend = tdb
> idmap config * : range = 30000-40000
> 
> idmap config MYDOMAIN : default = yes
> idmap config MYDOMAIN : backend = ad
> idmap config MYDOMAIN : schema_mode = rfc2307
> idmap config MYDOMAIN : range = 0-200000
> 
> template shell = /bin/bash

Replace %ACCOUNTNAME% with %U

> template homedir = /home/%ACCOUNTNAME%

I would also remove the next block of lines, except possibly for the
'enum' ones

> winbind separator = +
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = Yes
> winbind offline logon = Yes
> 
> 
> 
> #======================= Share Definitions =======================
> [netlogon]
>          path
> = /usr/local/samba/var/locks/sysvol/dc1.evilgenius.net/scripts read
> only = No
> 
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> 
> ;[homes]
> ;   comment = Home Directories
> ;   browseable = no
> 
> 

Can I also suggest replacing 'winbind' in the 'server services' line
with 'winbindd'

Do any of your users log into the DC ?

Rowland

More information about the samba mailing list