[Samba] troubleshoot samba - Could not convert sid - problem
ML Wong
wongmlb at gmail.com
Mon Jan 25 17:30:16 UTC 2016
Environment: try to join and setup simple file-share in a sub-domain off
from an AD forest which operates under 2008R2 forest, and domain functional
level; while keeping primary domain for SSH remote logins
Samba is running Version 3.6.23-24.el6_7 running on CentOS6.7. RPM based
'net ads join -k' , 'net ads keytab list', 'net testjoin -k' reflected
positive results. I can successfully join to the forest without any issues.
i also ran 'net ads status -k' to verify if a machine account can be
queried from the member server.
For example, When i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back
without issues. And, based on my privileges in AD, i can verify the SID is
equal as what i can see from ADUC. But, when i ran 'wbinfo -i
DOMAIN\\user1', i always get "Could not convert sid [the-long-SID]
NT_STATUS_NO_SUCH_USER" error in my samba.log (which i specify in my
smb.conf). I ran a series of Google search, most of the searches tell me
pointed out that this is mostly related to the "idmap" mis-configuration.
Each time i changed the range for idmap, i would 'net cache flush', and
'/bin/rm /var/lib/samba/*.tdb', and restarted nmb, smb, and winbind. But,
obviously, changing different ranges does not really help with our
environment.
Below is my smb.conf (with fake domain-names), can i ask where i should
look at for my troubleshooting: Any pointers and opinions will be
appreciated.
###
# Global Setting
###
[global]
realm = DOMAIN2.REGION2.MS.LOCAL
workgroup = DOMAIN2
netbios name = FS02
security = ADS
kerberos method = secrets and keytab
encrypt passwords = yes
#
idmap config * : backend = tdb
idmap config * : range = 1000000-9999999
idmap config DOMAIN2 : base_rid = 1000
idmap config DOMAIN2 : backend = rid
idmap config DOMAIN2 : range = 10000-999999
invalid users = root
#
winbind nss info = rfc2307
winbind trusted domains only = no
winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
#
load printers = no
printcap name = /dev/null
#
# Logging
#
log file = /var/log/samba/samba.log
log level = 9
max log size = 1048576
###
# Share Definitions
###
[testshare]
comment = samba cifs share test only
path = /opt/software
force group = "@DOMAIN2\sysadmins"
browsable = no
writable = yes
read only = no
force create mode = 0660
create mask = 0770
directory mask = 0770
force directory mode = 0770
access based share enum = yes
valid users = "@DOMAIN2\sysadmins"
admin users = "@DOMAIN2\sysadmins"
guest ok = no
hide unreadable = yes
More information about the samba
mailing list