[Samba] Could not convert SID S-0-0, error is NT_STATUS_NONE_MAPPED
Norbert Hanke
norbert.hanke at gmx.ch
Thu Oct 19 13:40:35 UTC 2023
Hi all,
In my case I see this happen when rsync'ing sysvol from one samba DC to
a different one on the target DC when the target DC is on Debian
Bookworm with both samba 4.17.<many> and 4.18.8 . It looks like a
different behaviour of rsync that I never saw on Bullseye or before,
with many different samba versions over the years.
I'm using rsync through ssh with
rsync -avAX --delete /var/lib/samba/sysvol dcX:/var/lib/samba
The winbind message disappears when adding --numeric-ids so that rsync
does not need to use winbind to map from user and group names to Unix
UIDs and GIDs.
Besides the different rsync version on Bookworm it has to do with the
history of my domain: at a certain time I added rfc2307 UIDs and/or GIDs
to builtin entities like "MYDOMAIN\domain admins" with the result of
different numerical ownerships and ACLs in GPOs. Rsync'ing with and
without --numeric-ids results in different numeric owners and ACLs. For
Windows clients both look the same, no imment problem. But abit of a
mess that still need to figure out how to clean up.
Maybe this helps to find the reason for the same elsewhere.
regards, Norbert
On 08.10.2023 16:39, Carlos Jesus via samba wrote:
> Hi all,
> I know this is kind of an old thread, but I've got some new "developments".
> And some questions too. Let's see...
> So, like I said before, my file server is clogging my logs with
> ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> Every 2 seconds.
> Now, I'm using netdata (https://www.netdata.cloud/) to locally monitor my
> machines, smbd performance including. I'm not into the details, but every 2
> seconds, netdata performs a "smbstatus -P" on the file server. Running
> smbstatus -P does not produce the error, but something else on netdata smbd
> monitoring does. I'll ask the netdata folks for more info.
> Anyway, this error shows up even if netdata is not running just not every 2
> seconds...
>
> Now for my question. Since I (kinda) know where the error comes from, I
> just want to get rid of it. So, is there a way to filter this specific
> error in the logs? I know I could redirect the log to an rsyslog facility
> and filter from there. Any suggestions on a more elegant way?
>
>
> Best regards
> Rowland Penny via samba<samba at lists.samba.org> escreveu no dia terça,
> 1/08/2023 à(s) 15:29:
>
>>
>> On 01/08/2023 15:07, Carlos Jesus wrote:
>>> Hi Rowland, thanks for the reply
>>>
>>>
>>> > [global]
>>> > realm = EUROHIDRA.LOCAL
>>>
>>> Is '.local' your real TLD ?
>>> If it is, I suggest you turn off Bonjour and Avahi everywhere
>>>
>>> Unfortunatly it is :(....
>>>
>>> Bonjour and avahi are stopped and masked everywhere.
>> I wish Microsoft hadn't recommended using '.local', it just means that
>> you cannot use Bonjour and Avahi. Microsoft has now realised this and
>> they no longer recommend using it.
>>
>>> > workgroup = EUROHIDRA
>>> > netbios name = EHDC1
>>> > server role = active directory domain controller
>>> > # interfaces = lo br0
>>> > # bind interfaces only = Yes
>>> > idmap_ldb:use rfc2307 = yes
>>> > log level = 1auth_json_audit:2@/var/log/samba/auth.log
>>> sam:2@
>>> > /var/log/samba/sam.log
>>> > log file = /var/log/samba/samba.log
>>> >
>>> > server services = -dns
>>> > template shell = /bin/bash
>>> > template homedir = /home/%U
>>> > winbind use default domain = yes
>>>
>>> I suggest you remove the 'winbind use default domain' line, it does
>>> nothing on a DC and, though unlikely, it could have something to do
>>> with
>>> your problem.
>>>
>>> Will do. Will it interfere with PAM authentication?
>> No, all it really does it to remove the DOMAIN from user & group names
>> and then only on Unix domain members.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list