[Samba] NT_STATUS_INVALID_SID

Rowland Penny rpenny at samba.org
Thu Oct 27 20:21:34 UTC 2016 

On Thu, 27 Oct 2016 15:52:09 -0400
Ryan Ashley via samba <samba at lists.samba.org> wrote:

> Slightly off-topic, but I thought setting those set the limits for
> going into the NIS attributes tab in Windows. I understood the Samba
> wiki to explain that using those lines is how you set the upper and
> lower limits that Windows sees and uses. Is this incorrect?
> 
> Lead IT/IS Specialist
> Reach Technology FP, Inc
> 
> On 10/27/2016 03:42 PM, Rowland Penny via samba wrote:
> > On Thu, 27 Oct 2016 17:23:43 -0200
> > Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
> > 
> >> Hi Rowland,
> >>
> >>      Just to let you know, we removed all the idmap entries we had
> >> on the smb.conf of our two DCs and the ids reported by getent
> >> passwd at the DCs were in the 3.000.000 range, as you said. We had
> >> to add back 'idmap_ldb:use rfc2307 = yes' to get the user listing
> >> with the original numbers on the DCs.
> >>
> >> Here's what we commented out on the configurationfiles.
> >>
> >>          # Default idmap config used for BUILTIN and local
> >> accounts/groups #idmap config *:backend = ad
> >>          #idmap config *:range = 2000-9999
> >>
> >>          # idmap config for domain E-TRUST
> >>          #idmap config E-TRUST:backend = ad
> >>          #idmap config E-TRUST:schema_mode = rfc2307
> >>          #idmap config E-TRUST:range = 10000-40000
> >>          #idmap cache time = 1
> >>          #idmap negative cache time = 1
> >>          #winbind cache time = 1
> >>          idmap_ldb:use rfc2307 = yes
> >>
> > 
> > Yes those are the lines you should only have on a domain member (aka
> > fileserver, printserver). The only idmap line you should have on a
> > DC is the 'idmap_ldb:use rfc2307 = yes' line, without this line,
> > rfc2307 will not be used and unfortunately it is not added
> > automatically to any DCs that are joined to the domain.
> > 
> > Rowland
> >  
> > 
> 

OK, when you first provision Samba as an AD DC, it uses 'xidNumber'
attributes stored in 'idmap.ldb', these numbers are in the '3000000'
range. These numbers are allocated on a first come basis (this is why
you get different IDs on subsequent DCs)

The only way to get different ID numbers on a DC, use uidNumber &
gidNumber attributes, but you don't need to add anything to smb.conf.

On a domain member it is different, there are several 'idmap' winbind
backends you can use, but the two main ones are 'ad' and 'rid'.

If you haven't added any uidNumber & gidNumber attributes to AD, then
you should use the 'rid' backend, this calculates the users (or group)
ID from its RID (the only real constant in all of this) and as long as
you use the same range on all Unix domain members, you will get
the same ID on them.

If you have added uidNumber & gidNumber attributes to AD, then you
should use the 'ad' backend, again, if you use the same range on all
the domain members, you will get the same ID's everywhere including
the DC's.

The ranges (whether you use 'rid' or 'ad') must not overlap and if
you use 'ad', you must give 'Domain Users' a gidNumber.

If you use the 'rid' backend, the ID's will be set from the range you
set in smb.conf, whereas, if you use the 'ad' backend, you set the
range from the numbers you set in AD.

Rowland

More information about the samba mailing list