[Samba] NT_STATUS_NONE_MAPPED in winbind logs

Tue Oct 4 14:53:53 UTC 2022

On 04/10/2022 14:05, mhbeyle at gmail.com wrote:
> Rowland Penny rpenny at samba.org
> Tue Oct 4 11:01:52 UTC 2022> Hi, samba users ...
> 
>> > Hi, samba users ...
>> >
>> > I have configured a samba installation (4.13) to act as a BDC in a
>> > windows domain.
>>
>> Samba 4.13.x is EOL as far as Samba is concerned and due to the numerous
>> CVE's and the upgrade to Heimdal, I suggest you upgrade to 4.16.x if
>> possible.
>> You do not have a BDC, that is something else entirely, you have an AD
>> DC. You also didn't say what level the rest of the domain is.
> Sorry for my bad explanation.
> I am referring to a BDC (Backup domain controller). In the domain there 
> is already a PDC (Primary domain controller) working and what I want now 
> is to add a secondary domain controller.
>>
>>   Everything works correctly: the different users login to
>> > the domain, access their files, permissions and roles are 
>> configured, etc.
>> >
>> > However, when I access the /var/log/samba/ directory there is a file
>> > called log.wb-[DOMAIN] with thousands of lines similar to the 
>> following:
>> >
>> > [2022/09/30 13:46:20.964639, 3]
>> > ../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid) 
>> sam_name_to_sid
>> > [2022/09/30 13:46:20.964646, 3]
>> > ../../source3/winbindd/winbindd/winbindd_rpc.c:281(rpc_name_to_sid)
>> > name_to_sid: [DOMAIN]\NOT for domain [DOMAIN].
>> > [2022/09/30 13:46:20.964803, 2]
>> > ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid) name_to_sid:
>> > failed to lookup name: NT_STATUS_NONE_MAPPED
>> > [2022/09/30 13:46:20.965021, 3]
>> > ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid:
>> > SID is not in a valid format
>> > [2022/09/30 13:46:26.187044, 3]
>> > ../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid) 
>> sam_name_to_sid
>> > [2022/09/30 13:46:26.187050, 3]
>> > ../../source3/winbindd/winbindd/winbindd_rpc.c:281(rpc_name_to_sid)
>> > name_to_sid: [DOMAIN]\ROOT for domain [DOMAIN].
>> > [2022/09/30 13:46:26.187216, 2]
>> > ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid) name_to_sid:
>> > failed to lookup name: NT_STATUS_NONE_MAPPED
>> > [2022/09/30 13:46:26.187321, 3]
>> > ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid:
>> > SID is not in a valid format
>>
>> They appear to be Unix users and as such will not have a SID, but 'root'
>> should be mapped to 'Administrator' in idmap.ldb
> 
> I have no idea what these lines mean and how I can find out which UNIX 
> users do not have SIDs and are causing this error.
> The log lines often refer to shared directories.
> 
> What is "SID is not in a valid format" and "failed to lookup name"?

No Unix user (those in /etc/passwd) will have a SID, only Windows or 
Samba users will have a SID.

>> >
>>
>> Is Zentyal involved here ? I ask this because you have numerous lines
>> that you do not need and have only seen in a Zentyal DC smb.conf before,
>> 'server role check:inibit = yes' being one of them. You would only need
>> this if you wanted to run 'nmbd' on a DC and you should never run 'nmbd'
>> on a DC.
>>
>> Rowland
> 
> In fact, I have configured the BDC server with Zentyal.

I will say this again, but louder, THIS IS NOT A BDC!

It is just another AD DC and all AD DC's are equal except for the FSMO 
roles and they can be on any AD DC.

> However, I have other identical servers that do not give this problem 
> with the logs.

If you have other identical DC's that do not have this problem, then I 
suggest you compare a known 'good' one with your 'bad' one, it is 
possible there is a difference.

> As I said before, everything in the domain works correctly. The BDC 
> works fine if I disconnect the PDC: the users are able to login, access 
> the shared resources and so on.

Will you please stop using terms that refer to NT4-style domains, they 
could confuse someone searching for a similar problem in the future. You 
may think this is being petty, but it does matter.

You still haven't told us what version the Windows DC's are running.

Rowland