[Samba] NT_STATUS_INVALID_SID
Rowland Penny
rpenny at samba.org
Thu Oct 27 19:42:39 UTC 2016
On Thu, 27 Oct 2016 17:23:43 -0200
Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
>
> Just to let you know, we removed all the idmap entries we had on
> the smb.conf of our two DCs and the ids reported by getent passwd at
> the DCs were in the 3.000.000 range, as you said. We had to add back
> 'idmap_ldb:use rfc2307 = yes' to get the user listing with the
> original numbers on the DCs.
>
> Here's what we commented out on the configurationfiles.
>
> # Default idmap config used for BUILTIN and local
> accounts/groups #idmap config *:backend = ad
> #idmap config *:range = 2000-9999
>
> # idmap config for domain E-TRUST
> #idmap config E-TRUST:backend = ad
> #idmap config E-TRUST:schema_mode = rfc2307
> #idmap config E-TRUST:range = 10000-40000
> #idmap cache time = 1
> #idmap negative cache time = 1
> #winbind cache time = 1
> idmap_ldb:use rfc2307 = yes
>
Yes those are the lines you should only have on a domain member (aka
fileserver, printserver). The only idmap line you should have on a DC is
the 'idmap_ldb:use rfc2307 = yes' line, without this line, rfc2307
will not be used and unfortunately it is not added automatically to
any DCs that are joined to the domain.
Rowland
More information about the samba
mailing list