[Samba] Account Unknown: SID not resolvable
james.atwell365 at gmail.com
james.atwell365 at gmail.com
Thu Nov 16 18:35:42 UTC 2023
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland
> Penny via samba
> Sent: Thursday, November 16, 2023 1:28 PM
> To: samba at lists.samba.org
> Cc: Rowland Penny <rpenny at samba.org>
> Subject: Re: [Samba] Account Unknown: SID not resolvable
>
> On Thu, 16 Nov 2023 13:14:56 -0500
> James Atwell via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> >
> >
> > When viewing the Security tab of a user object I find 2
> > username/groups that display their SID as opposed to their username
> > with Account Unknown. I tried to use 'wbinfo -s' with the SID but it's
> > unable to return a result. Using a well know SID works without issue.
> >
> >
> >
> > At one point this domain used 'idmap_ldb:use rfc2307 = yes' in the
> > smb.conf file when it was initially provisioned. It's no longer used
> > on any DC and my understanding by removing, GID's will not be
> > resolvable and should have no affect on SID's.
> >
> >
> >
> > To aid in my troubleshooting, can someone share what security
> > usernames and groups are created on a typical new user or group
> > account?
> >
> >
> >
> > The two sid's I have with an unknown account name are as follows.
> >
> >
> >
> > s-1-5-21-940051827-2291820289-3341758437-526
> >
> > s-1-5-21-940051827-2291820289-3341758437-527
> >
> >
>
> They are for a couple of groups that I haven't come across (yet)
>
> 'Key Admins' and 'Enterprise Key Admins'
>
> This is probably an artefact of you having 'ad dc functional level = 2016'
in your
> DCs smb.conf, Samba hasn't caught up yet.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Thanks Rowland. May I ask where you found this as my google fu doesn't show
these two as well known SID's. I'm assuming(maybe incorrectly) that they
would be deemed well known.
I'll add that I upgraded the schema to resolve a CISO DUO MFA issue. In
hindsight I don't think it was necessary, but finally resolved the
integration issue.
More information about the samba
mailing list