[Samba] Failed to convert SID to a UID

Christian Naumer christian.naumer at greyfish.net
Mon Jun 12 06:04:18 UTC 2023 

Am Samstag, dem 10.06.2023 um 20:57 +0100 schrieb Rowland Penny via samba:
> 
> 
> On 10/06/2023 20:37, Christian Naumer via samba wrote:
> > That might be the right direction. The standard kerb5.conf on rhel/rocky breaks samba. At
> > least for us. That is why we always replace it with a custom one.
> 
> It might be an idea if we could see your definition of the standard 
> krb5.conf. I ask this because I have set up a Unix domain member on both 
> Rocky Linux 8 and 9 with my idea of the standard krb5.conf and they both 
> worked.


In Rocky 8 we have this as standard which we usually replace:

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

I think it does not like the "crypto-policies" file in the includedir. But I am unsure. Maybe
this is different now but it used to be a Problem.

Here is what we replace it with:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLEREALM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_ccache_name = KEYRING:persistent:%{uid}

Regards

Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20230612/60a83251/signature.sig>

More information about the samba mailing list