[Samba] Failed to convert SID to a UID

Robert Marcano robert at marcanoonline.com
Mon Jun 12 12:53:41 UTC 2023 

On 6/12/23 2:55 AM, Rowland Penny via samba wrote:
> 
> 
> On 12/06/2023 07:04, Christian Naumer via samba wrote:
>> Am Samstag, dem 10.06.2023 um 20:57 +0100 schrieb Rowland Penny via 
>> samba:
>>>
>>>
>>> On 10/06/2023 20:37, Christian Naumer via samba wrote:
>>>> That might be the right direction. The standard kerb5.conf on 
>>>> rhel/rocky breaks samba. At
>>>> least for us. That is why we always replace it with a custom one.
>>>
>>> It might be an idea if we could see your definition of the standard
>>> krb5.conf. I ask this because I have set up a Unix domain member on both
>>> Rocky Linux 8 and 9 with my idea of the standard krb5.conf and they both
>>> worked.
>>
>>
>> In Rocky 8 we have this as standard which we usually replace:
>>
>> # To opt out of the system crypto-policies configuration of krb5, 
>> remove the
>> # symlink at /etc/krb5.conf.d/crypto-policies which will not be 
>> recreated.
>> includedir /etc/krb5.conf.d/
>>
>> [logging]
>>      default = FILE:/var/log/krb5libs.log
>>      kdc = FILE:/var/log/krb5kdc.log
>>      admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>      dns_lookup_realm = false
>>      ticket_lifetime = 24h
>>      renew_lifetime = 7d
>>      forwardable = true
>>      rdns = false
>>      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
>>      spake_preauth_groups = edwards25519
>> #    default_realm = EXAMPLE.COM
>>      default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>> # EXAMPLE.COM = {
>> #     kdc = kerberos.example.com
>> #     admin_server = kerberos.example.com
>> # }
>>
>> [domain_realm]
>> # .example.com = EXAMPLE.COM
>> # example.com = EXAMPLE.COM
>>
>> I think it does not like the "crypto-policies" file in the includedir. 
>> But I am unsure. Maybe
>> this is different now but it used to be a Problem.
>>
>> Here is what we replace it with:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = EXAMPLEREALM.COM
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> Regards
>>
>> Christian
>>
>>
> 
> I used this /etc/krb5.conf on a machine called 'rocky9'
> 
> [libdefaults]
>    default_realm = SAMDOM.EXAMPLE.COM
>    dns_lookup_kdc = false
>    dns_lookup_realm = true
> 
> [realms]
>      SAMDOM.EXAMPLE.COM = {
>          default_domain = samdom.example.com
>      }
> 
> [domain_realm]
>      ROCKY9 = SAMDOM.EXAMPLE.COM
> 
> I also did this:
> 
> sudo rm /etc/krb5.conf.d/crypto-policies
> 
> I ended up with a fully working Unix domain member using the 'rid' idmap 
> backend.
> 
> Rowland
> 


There exist a way to setup crypto policies with support for old AD crypto.

RHEL 8 and derivative:
   update-crypto-policies --set DEFAULT:AD-SUPPORT

RHEL 9 and derivative
   update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY

From: https://access.redhat.com/solutions/7004158

More information about the samba mailing list