[Samba] Samba3 : no suitable range available for sid

Gianluca Culot gianlucaculot at dmsware.com
Fri Apr 13 08:33:34 GMT 2007


I'm setting up a freebsd server which will authenticate against an
Active Directory
I mean: the server will NOT have any local users (except mandatory and
minimum
required for management and configuration) and will authenticate requests
for login and access
FOR EVERY SERVICE against an Active Directory Server

I have configured the samba service and currently I can
login to local terminal, ssh, smtp and pop3 services using local or AD users
and password. Each service authenticates correctly the user, first trying on
AD domain then, if failing, validating against local passwd db


The problem is that I get this error every 30 seconds

rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-549

I get this message for every builtin group in Active Directory Domain
This error doesn't cause any problem or mulfunction to running services
(ssh, smtp, pop3,
etc).
But it's really annoying and causes log file to grow up in size very very
quickly

as far as I can understand Samba is trying to associate BUILTIN groups with
its local copy, but it doesn't have allowance for the operation (and in fact
I do not want this)

What can i do to stop this error from coming out every 30 seconds ?
What have I missed in the configuration so that Samba try to copy the
BUILTIN groups ?



Here is my smbd configuration
[global]
workgroup = mydomain
realm = mydomain.it
security = ADS
allow trusted domains = No
idmap backend = idmap_rid:DMSWARE= 1000-100000
idmap uid = 1000-100000
idmap gid = 1000-100000
template homedir = /home/%U
template shell = /bin/sh
winbind cache time = 3600
winbind nested groups = Yes
winbind use default domain = Yes
syslog only = Yes

# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
add user script = /usr/sbin/pw useradd %u
add group script = /usr/sbin/groupadd %g
;  add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
/dev/null -s /bin/false %u
  delete user script = /usr/sbin/pw userdel %u
;  delete user from group script = /usr/sbin/deluser %u %g
  delete group script = /usr/sbin/pw groupdel %g




and here is my PAM stack for /etc/pam.d/system
# System-wide defaults
#

# auth
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_winbind.so          try_first_pass
#auth           sufficient      pam_krb5.so             no_warn
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass nullok

# account
account         required        pam_winbind.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_lastlog.so          no_fail

# password
password        sufficient      pam_winbind.so          try_first_pass
#password       sufficient      pam_krb5.so             no_warn
try_first_pass
password        required        pam_unix.so             no_warn
try_first_pass



thanks for every help or hint you can give me.




More information about the samba mailing list