[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)

[buhorojo]

On 05/06/15 13:57, Jonathan Hunter wrote:
> Hi Rowland,
>
> On 5 June 2015 at 12:14, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>
>> So I take it that when you provisioned the domain, you didn't use
>> '--use-rfc2307'
> Correct
>> OK, you now have the same result, so it should work as if you had used
>> '--use-rfc2307'
> Yup - and indeed it works on the second DC.
>
>> You have two problems here, well one possible and one definite, first you
>> have turned off the dns server built into the samba AD DC, this is a problem
>> unless you are also running bind9.
> Sorry yes, I am also running BIND9, this works fine for purposes of
> this email thread (plenty of other issues I could talk about, but not
> here & now! :) )
>
>> The main problem is thinking that you set up an AD DC the same way as a
>> Member Server, you cannot, all the winbind lines you added are doing
>> nothing.
> Thank you - I think this was the key to my confusion.
>
> I had forgotten this, which was of course the whole reason I am
> embarking on this sorry story in the first place :)
>
>> You are also mixing up how an AD DC and a Member Server work, the DC uses
>> idmap.ldb to store the mappings and a Member Server uses .tdb files
> Thank you - again useful info and I didn't know this beforehand. (I
> will try and add these to the wiki somewhere obvious, if I can!)
>
>> If you give your users and groups a uidNumber or a gidNumber These should be
>> used on the DC instead of the xidNumber stored in idmap.ldb.
> And this is I think the key. On the DC that is working, I am still
> using sssd as per previous discussions, and *that* is why it works
> fine. (I have set 'ldap_id_mapping = False' on that machine, now I
> have added rfc2307)
>
> On the DC that is not working, for some reason sssd won't play ball if
> I set the above configuration line - I have no idea why, there are a
> few hits on google for that error message - and because this wasn't
> working and I couldn't resolve that immediately, I thought it would be
> a good idea to use winbind instead.. which of course doesn't work on a
> DC.
>
> I'll try and reproduce the sssd/nsswitch.conf config from 'good DC' to
> 'bad DC' and see how I get on, and will remove the winbind/idmap
> lines, as you say they aren't doing anything.
>
> Will update shortly.. :)
>
> Thanks
>
> J
>
Hi
Use either winbind or sssd, not a halfway house. With a mix of 
fileservers and dcs we'd strongly recommend the latter. Remove anything 
to do with idmap ldb and everything to do with winbind. put your rfc2307 
in the directory and use the minimal ad sssd.conf. That's it.