[Samba] Could not convert SID S-0-0, error is NT_STATUS_NONE_MAPPED

Carlos Jesus camjesus2 at gmail.com
Tue Oct 24 18:25:45 UTC 2023 

Hello all,
in my case the mais issue is running smbstatus -P (as root of course). I
was monitoring my samba file server by running this periodically and every
time I get this error. This is with samba 4.17.6 on Bullseye. The DC's have
been upgraded to Bookworm but are still on 4.17.6.
Actually the case is even more complex. Running smbstatus -P as root works
fine. Running sudo -n smbstatus -P gives the error. Kinda weird.
My FS is running with the AD backend. Can't post smb.conf now, but will do
later tonight. Rather minimalistic though.

Best regards
CJ


Norbert Hanke via samba <samba at lists.samba.org> escreveu no dia quinta,
19/10/2023 à(s) 14:41:

> Hi all,
>
> In my case I see this happen when rsync'ing sysvol from one samba DC to
> a different one on the target DC when the target DC is on Debian
> Bookworm with both samba 4.17.<many> and 4.18.8 . It looks like a
> different behaviour of rsync that I never saw on Bullseye or before,
> with many different samba versions over the years.
>
> I'm using rsync through ssh with
> rsync -avAX --delete /var/lib/samba/sysvol dcX:/var/lib/samba
>
> The winbind message disappears when adding --numeric-ids so that rsync
> does not need to use winbind to map from user and group names to Unix
> UIDs and GIDs.
>
> Besides the different rsync version on Bookworm it has to do with the
> history of my domain: at a certain time I added rfc2307 UIDs and/or GIDs
> to builtin entities like "MYDOMAIN\domain admins" with the result of
> different numerical ownerships and ACLs in GPOs. Rsync'ing with and
> without --numeric-ids results in different numeric owners and ACLs. For
> Windows clients both look the same, no imment problem. But abit of a
> mess that still need to figure out how to clean up.
>
> Maybe this helps to find the reason for the same elsewhere.
>
> regards, Norbert
>
> On 08.10.2023 16:39, Carlos Jesus via samba wrote:
> > Hi all,
> > I know this is kind of an old thread, but I've got some new
> "developments".
> > And some questions too. Let's see...
> > So, like I said before, my file server is clogging my logs with
> > ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
> >    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> > Every 2 seconds.
> > Now, I'm using netdata (https://www.netdata.cloud/) to locally monitor
> my
> > machines, smbd performance including. I'm not into the details, but
> every 2
> > seconds, netdata performs a "smbstatus -P" on the file server. Running
> > smbstatus -P does not produce the error, but something else on netdata
> smbd
> > monitoring does. I'll ask the netdata folks for more info.
> > Anyway, this error shows up even if netdata is not running just not
> every 2
> > seconds...
> >
> > Now for my question. Since I (kinda) know where the error comes from, I
> > just want to get rid of it. So, is there a way to filter this specific
> > error in the logs? I know I could redirect the log to an rsyslog facility
> > and filter from there. Any suggestions on a more elegant way?
> >
> >
> > Best regards
> > Rowland Penny via samba<samba at lists.samba.org>  escreveu no dia terça,
> > 1/08/2023 à(s) 15:29:
> >
> >>
> >> On 01/08/2023 15:07, Carlos Jesus wrote:
> >>> Hi Rowland, thanks for the reply
> >>>
> >>>
> >>>       > [global]
> >>>       >          realm = EUROHIDRA.LOCAL
> >>>
> >>>      Is '.local' your real TLD ?
> >>>      If it is, I suggest you turn off Bonjour and Avahi everywhere
> >>>
> >>> Unfortunatly it is :(....
> >>>
> >>> Bonjour and avahi are stopped and masked everywhere.
> >> I wish Microsoft hadn't recommended using '.local', it just means that
> >> you cannot use Bonjour and Avahi. Microsoft has now realised this and
> >> they no longer recommend using it.
> >>
> >>>       >          workgroup = EUROHIDRA
> >>>       >          netbios name = EHDC1
> >>>       >          server role = active directory domain controller
> >>>       > #       interfaces = lo br0
> >>>       > #        bind interfaces only = Yes
> >>>       >          idmap_ldb:use rfc2307 = yes
> >>>       >          log level = 1auth_json_audit:2@
> /var/log/samba/auth.log
> >>>      sam:2@
> >>>       > /var/log/samba/sam.log
> >>>       >          log file = /var/log/samba/samba.log
> >>>       >
> >>>       >          server services = -dns
> >>>       >          template shell = /bin/bash
> >>>       >          template homedir = /home/%U
> >>>       >          winbind use default domain = yes
> >>>
> >>>      I suggest you remove the 'winbind use default domain' line, it
> does
> >>>      nothing on a DC and, though unlikely, it could have something to
> do
> >>>      with
> >>>      your problem.
> >>>
> >>> Will do. Will it interfere with PAM authentication?
> >> No, all it really does it to remove the DOMAIN from user & group names
> >> and then only on Unix domain members.
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:https://lists.samba.org/mailman/options/samba
> >>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list