[Samba] troubleshoot samba - Could not convert sid - problem
Rowland penny
rpenny at samba.org
Mon Jan 25 17:53:43 UTC 2016
On 25/01/16 17:30, ML Wong wrote:
> Environment: try to join and setup simple file-share in a sub-domain off
> from an AD forest which operates under 2008R2 forest, and domain functional
> level; while keeping primary domain for SSH remote logins
>
> Samba is running Version 3.6.23-24.el6_7 running on CentOS6.7. RPM based
>
> 'net ads join -k' , 'net ads keytab list', 'net testjoin -k' reflected
> positive results. I can successfully join to the forest without any issues.
> i also ran 'net ads status -k' to verify if a machine account can be
> queried from the member server.
>
> For example, When i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back
> without issues. And, based on my privileges in AD, i can verify the SID is
> equal as what i can see from ADUC. But, when i ran 'wbinfo -i
> DOMAIN\\user1', i always get "Could not convert sid [the-long-SID]
> NT_STATUS_NO_SUCH_USER" error in my samba.log (which i specify in my
> smb.conf). I ran a series of Google search, most of the searches tell me
> pointed out that this is mostly related to the "idmap" mis-configuration.
> Each time i changed the range for idmap, i would 'net cache flush', and
> '/bin/rm /var/lib/samba/*.tdb', and restarted nmb, smb, and winbind. But,
> obviously, changing different ranges does not really help with our
> environment.
>
> Below is my smb.conf (with fake domain-names), can i ask where i should
> look at for my troubleshooting: Any pointers and opinions will be
> appreciated.
>
> ###
>
> # Global Setting
>
> ###
>
> [global]
>
> realm = DOMAIN2.REGION2.MS.LOCAL
>
> workgroup = DOMAIN2
>
> netbios name = FS02
>
> security = ADS
>
> kerberos method = secrets and keytab
>
> encrypt passwords = yes
>
> #
>
> idmap config * : backend = tdb
>
> idmap config * : range = 1000000-9999999
>
>
> idmap config DOMAIN2 : base_rid = 1000
>
> idmap config DOMAIN2 : backend = rid
>
> idmap config DOMAIN2 : range = 10000-999999
>
> invalid users = root
>
> #
>
> winbind nss info = rfc2307
>
> winbind trusted domains only = no
>
> winbind refresh tickets = yes
>
> winbind enum users = no
>
> winbind enum groups = no
>
> winbind nested groups = yes
>
> #
>
> load printers = no
>
> printcap name = /dev/null
>
> #
>
> # Logging
>
> #
>
> log file = /var/log/samba/samba.log
>
> log level = 9
>
> max log size = 1048576
>
> ###
>
> # Share Definitions
>
> ###
>
> [testshare]
>
> comment = samba cifs share test only
>
> path = /opt/software
>
> force group = "@DOMAIN2\sysadmins"
>
> browsable = no
>
> writable = yes
>
> read only = no
>
> force create mode = 0660
>
> create mask = 0770
>
> directory mask = 0770
>
> force directory mode = 0770
>
> access based share enum = yes
>
> valid users = "@DOMAIN2\sysadmins"
>
> admin users = "@DOMAIN2\sysadmins"
>
> guest ok = no
>
> hide unreadable = yes
OK, you have this in your smb.conf:
workgroup = DOMAIN2
You also say <i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back>,
you also say < i ran 'wbinfo -i DOMAIN\\user1'>
Is this a typo ? if not, I think this is your problem. smb.conf is setup
to obtain the info for DOMAIN2 and will ignore DOMAIN as it is not its
workgroup.
Rowland
More information about the samba
mailing list