[Samba] Samba3 : no suitable range available for sid
Gianluca Culot
gianlucaculot at dmsware.com
Fri Apr 13 08:33:34 GMT 2007
I'm setting up a freebsd server which will authenticate against an
Active Directory
I mean: the server will NOT have any local users (except mandatory and
minimum
required for management and configuration) and will authenticate requests
for login and access
FOR EVERY SERVICE against an Active Directory Server
I have configured the samba service and currently I can
login to local terminal, ssh, smtp and pop3 services using local or AD users
and password. Each service authenticates correctly the user, first trying on
AD domain then, if failing, validating against local passwd db
The problem is that I get this error every 30 seconds
rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-549
I get this message for every builtin group in Active Directory Domain
This error doesn't cause any problem or mulfunction to running services
(ssh, smtp, pop3,
etc).
But it's really annoying and causes log file to grow up in size very very
quickly
as far as I can understand Samba is trying to associate BUILTIN groups with
its local copy, but it doesn't have allowance for the operation (and in fact
I do not want this)
What can i do to stop this error from coming out every 30 seconds ?
What have I missed in the configuration so that Samba try to copy the
BUILTIN groups ?
Here is my smbd configuration
[global]
workgroup = mydomain
realm = mydomain.it
security = ADS
allow trusted domains = No
idmap backend = idmap_rid:DMSWARE= 1000-100000
idmap uid = 1000-100000
idmap gid = 1000-100000
template homedir = /home/%U
template shell = /bin/sh
winbind cache time = 3600
winbind nested groups = Yes
winbind use default domain = Yes
syslog only = Yes
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
add user script = /usr/sbin/pw useradd %u
add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
/dev/null -s /bin/false %u
delete user script = /usr/sbin/pw userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
delete group script = /usr/sbin/pw groupdel %g
and here is my PAM stack for /etc/pam.d/system
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_winbind.so try_first_pass
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass nullok
# account
account required pam_winbind.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
password sufficient pam_winbind.so try_first_pass
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
thanks for every help or hint you can give me.
More information about the samba
mailing list