[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)

Jonathan Hunter jmhunter1 at gmail.com
Fri Jun 5 05:57:09 MDT 2015 

Hi Rowland,

On 5 June 2015 at 12:14, Rowland Penny <rowlandpenny at googlemail.com> wrote:

> So I take it that when you provisioned the domain, you didn't use
> '--use-rfc2307'
Correct
> OK, you now have the same result, so it should work as if you had used
> '--use-rfc2307'
Yup - and indeed it works on the second DC.

> You have two problems here, well one possible and one definite, first you
> have turned off the dns server built into the samba AD DC, this is a problem
> unless you are also running bind9.
Sorry yes, I am also running BIND9, this works fine for purposes of
this email thread (plenty of other issues I could talk about, but not
here & now! :) )

> The main problem is thinking that you set up an AD DC the same way as a
> Member Server, you cannot, all the winbind lines you added are doing
> nothing.

Thank you - I think this was the key to my confusion.

I had forgotten this, which was of course the whole reason I am
embarking on this sorry story in the first place :)

> You are also mixing up how an AD DC and a Member Server work, the DC uses
> idmap.ldb to store the mappings and a Member Server uses .tdb files

Thank you - again useful info and I didn't know this beforehand. (I
will try and add these to the wiki somewhere obvious, if I can!)

> If you give your users and groups a uidNumber or a gidNumber These should be
> used on the DC instead of the xidNumber stored in idmap.ldb.

And this is I think the key. On the DC that is working, I am still
using sssd as per previous discussions, and *that* is why it works
fine. (I have set 'ldap_id_mapping = False' on that machine, now I
have added rfc2307)

On the DC that is not working, for some reason sssd won't play ball if
I set the above configuration line - I have no idea why, there are a
few hits on google for that error message - and because this wasn't
working and I couldn't resolve that immediately, I thought it would be
a good idea to use winbind instead.. which of course doesn't work on a
DC.

I'll try and reproduce the sssd/nsswitch.conf config from 'good DC' to
'bad DC' and see how I get on, and will remove the winbind/idmap
lines, as you say they aren't doing anything.

Will update shortly.. :)

Thanks

J

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list