[Samba] troubleshoot samba - Could not convert sid - problem

ML Wong wongmlb at gmail.com
Mon Jan 25 17:30:16 UTC 2016

Environment: try to join and setup simple file-share in a sub-domain off
from an AD forest which operates under 2008R2 forest, and domain functional
level; while keeping primary domain for SSH remote logins

Samba is running Version 3.6.23-24.el6_7 running on CentOS6.7. RPM based

'net ads join -k' , 'net ads keytab list', 'net testjoin -k' reflected
positive results. I can successfully join to the forest without any issues.
i also ran 'net ads status -k' to verify if a machine account can be
queried from the member server.

 For example, When i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back
without issues. And, based on my privileges in AD, i can verify the SID is
equal as what i can see from ADUC. But, when i ran 'wbinfo -i
DOMAIN\\user1', i always get "Could not convert sid [the-long-SID]
NT_STATUS_NO_SUCH_USER" error in my samba.log (which i specify in my
smb.conf). I ran a series of Google search, most of the searches tell me
pointed out that this is mostly related to the "idmap" mis-configuration.
Each time i changed the range for idmap, i would 'net cache flush', and
'/bin/rm /var/lib/samba/*.tdb', and restarted nmb, smb, and winbind. But,
obviously, changing different ranges does not really help with our

Below is my smb.conf (with fake domain-names), can i ask where i should
look at for my troubleshooting: Any pointers and opinions will be


# Global Setting




workgroup = DOMAIN2

netbios name = FS02

security = ADS

kerberos method = secrets and keytab

encrypt passwords = yes


idmap config * : backend = tdb

idmap config * : range  = 1000000-9999999

idmap config DOMAIN2 : base_rid = 1000

idmap config DOMAIN2 : backend = rid

idmap config DOMAIN2 : range = 10000-999999

invalid users = root


winbind nss info = rfc2307

winbind trusted domains only = no

winbind refresh tickets = yes

winbind enum users = no

winbind enum groups = no

winbind nested groups = yes


load printers = no

printcap name = /dev/null


# Logging


log file = /var/log/samba/samba.log

log level  = 9

max log size = 1048576


# Share Definitions



comment = samba cifs share test only

path = /opt/software

force group = "@DOMAIN2\sysadmins"

browsable = no

writable = yes

read only = no

force create mode = 0660

create mask = 0770

directory mask = 0770

force directory mode = 0770

access based share enum = yes

valid users = "@DOMAIN2\sysadmins"

admin users = "@DOMAIN2\sysadmins"

guest ok = no

hide unreadable = yes

More information about the samba mailing list