[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)

Rowland Penny rowlandpenny at googlemail.com
Fri Jun 5 05:14:06 MDT 2015


On 05/06/15 11:41, Jonathan Hunter wrote:
>  From my .bash_history on the schema master DC, effectively:
>
> # sed -e 's/${DOMAINDN}/dc=MYDOMAIN,dc=MY,dc=TLD/g'  \
>        -e 's/${NETBIOSNAME}/MYDOMAIN/g'              \
>        -e 's/${NISDOMAIN}/MYDOMAIN/g'                \
>        /usr/local/samba/share/setup/ypServ30.ldif > ypServ30-JMH.ldif
> # service samba4 stop
> # ldbmodify -H /usr/local/samba/private/sam.ldb ypServ30-JMH.ldif
> --option="dsdb:schema update allowed"=true
> Modified 55 records successfully
> # service samba4 start
>
> On 5 June 2015 at 11:13, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 05/06/15 10:44, Jonathan Hunter wrote:
>>> Hi,
>>> I have now added rfc2307 to my domain - I extended the schema, have
>>> added UIDs to some (not all yet) of my users and groups, and have my
>>> smb.conf with this currently:
>>>
>>> idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307
>>>
>>> winbind use default domain = Yes winbind enum users = Yes winbind
>>> enum groups = Yes winbind refresh tickets = Yes winbind expand groups
>>> = 8
>>>
>>> #idmap config *:range = 900000-999999
>>>
>>> This works just fine on one of my DCs, but the other is proving more
>>> problematic.
>>>
>>> See below for more detail on the process, but the issue is that
>>> right now, I now have hundreds (thousands) of messages appearing in
>>> syslog along the lines of: Unable to convert SID (S-1-1-0) at index 5
>>> in user token to a GID. Conversion was returned as type 0, full
>>> token:
>>>
>>> 'net cache list' confirms: Key: IDMAP/SID2XID/S-1-1-0 Timeout:
>>> 10:41:35       Value: -1:N
>>>
>>> I've uncommented the idmap line above, to no effect.
>>>
>>> The same config works just fine on the other DC.
>>>
>>> What can I check next?
>>>
>>> Thanks,
>>>
>>> Jonathan
>>>
>>> I can't explain the initial issues I had on this DC, either. After
>>> adding rfc2307, this DC simply wouldn't resolve the new UIDs I had
>>> added, despite running "net cache flush". Even when shutting samba
>>> down, then running "net cache flush", then starting samba back, I
>>> had a very weird time where running "id <user>" was just fine at
>>> first, returning the rfc2307-defined UID, but then running the same
>>> command a few seconds later, it had reverted back to 3000007!
>>>
>>> I finally used the following to restart - clearing out the idmap.ldb
>>> file - and this seemed to work better, but I still have the issue
>>> above: service samba4 stop;net cache flush;rm
>>> /usr/local/samba/private/idmap.ldb;service samba4 start
>>>
>> Hi, what do you mean 'I extended the schema' ?
>> How did you extend the schema and with what ?
>>
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

So I take it that when you provisioned the domain, you didn't use 
'--use-rfc2307'

OK, you now have the same result, so it should work as if you had used 
'--use-rfc2307'

You have two problems here, well one possible and one definite, first 
you have turned off the dns server built into the samba AD DC, this is a 
problem unless you are also running bind9.

The main problem is thinking that you set up an AD DC the same way as a 
Member Server, you cannot, all the winbind lines you added are doing 
nothing.

You are also mixing up how an AD DC and a Member Server work, the DC 
uses idmap.ldb to store the mappings and a Member Server uses .tdb files

If you give your users and groups a uidNumber or a gidNumber These 
should be used on the DC instead of the xidNumber stored in idmap.ldb.

Rowland




More information about the samba mailing list