[Samba] Failed to convert SID to a UID

Rowland Penny rpenny at samba.org
Mon Jun 12 06:55:52 UTC 2023 


On 12/06/2023 07:04, Christian Naumer via samba wrote:
> Am Samstag, dem 10.06.2023 um 20:57 +0100 schrieb Rowland Penny via samba:
>>
>>
>> On 10/06/2023 20:37, Christian Naumer via samba wrote:
>>> That might be the right direction. The standard kerb5.conf on rhel/rocky breaks samba. At
>>> least for us. That is why we always replace it with a custom one.
>>
>> It might be an idea if we could see your definition of the standard
>> krb5.conf. I ask this because I have set up a Unix domain member on both
>> Rocky Linux 8 and 9 with my idea of the standard krb5.conf and they both
>> worked.
> 
> 
> In Rocky 8 we have this as standard which we usually replace:
> 
> # To opt out of the system crypto-policies configuration of krb5, remove the
> # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
> includedir /etc/krb5.conf.d/
> 
> [logging]
>      default = FILE:/var/log/krb5libs.log
>      kdc = FILE:/var/log/krb5kdc.log
>      admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>      dns_lookup_realm = false
>      ticket_lifetime = 24h
>      renew_lifetime = 7d
>      forwardable = true
>      rdns = false
>      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
>      spake_preauth_groups = edwards25519
> #    default_realm = EXAMPLE.COM
>      default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
> # EXAMPLE.COM = {
> #     kdc = kerberos.example.com
> #     admin_server = kerberos.example.com
> # }
> 
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
> 
> I think it does not like the "crypto-policies" file in the includedir. But I am unsure. Maybe
> this is different now but it used to be a Problem.
> 
> Here is what we replace it with:
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> default_realm = EXAMPLEREALM.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> default_ccache_name = KEYRING:persistent:%{uid}
> 
> Regards
> 
> Christian
> 
> 

I used this /etc/krb5.conf on a machine called 'rocky9'

[libdefaults]
   default_realm = SAMDOM.EXAMPLE.COM
   dns_lookup_kdc = false
   dns_lookup_realm = true

[realms]
	SAMDOM.EXAMPLE.COM = {
		default_domain = samdom.example.com
	}

[domain_realm]
	ROCKY9 = SAMDOM.EXAMPLE.COM

I also did this:

sudo rm /etc/krb5.conf.d/crypto-policies

I ended up with a fully working Unix domain member using the 'rid' idmap 
backend.

Rowland

More information about the samba mailing list