[Samba] NT_STATUS_INVALID_SID
Rowland Penny
rpenny at samba.org
Sat Oct 29 10:24:18 UTC 2016
On Sat, 29 Oct 2016 22:31:22 +1300
Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba
> wrote:
> > Hi Rowland,
> >
> > Just to let you know, we removed all the idmap entries we had
> > on the smb.conf of our
> > two DCs and the ids reported by getent passwd at the DCs were in the
> > 3.000.000 range, as
> > you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get
> > the user listing with
> > the original numbers on the DCs.
> >
> > Here's what we commented out on the configurationfiles.
> >
> > # Default idmap config used for BUILTIN and local
> > accounts/groups
> > #idmap config *:backend = ad
> > #idmap config *:range = 2000-9999
> >
> > # idmap config for domain E-TRUST
> > #idmap config E-TRUST:backend = ad
> > #idmap config E-TRUST:schema_mode = rfc2307
> > #idmap config E-TRUST:range = 10000-40000
> > #idmap cache time = 1
> > #idmap negative cache time = 1
> > #winbind cache time = 1
> > idmap_ldb:use rfc2307 = yes
> >
> > Regards,
> > Vinicius.
>
> Can you confirm that it still fails with that configuration?
>
> You may need to flush the caches. 'net cache flush'.
>
> I certainly can see how having those set would have broken things,
> because we now enforce the range if set whereas 4.4 just ignored
> them.
>
> Thanks,
>
> Andrew Bartlett
Are you saying that the 'idmap config' lines as used on a domain member
are now supposed to work on a DC ?
From my testing on version 4.5.0, they still do nothing, either the
xidNumbers from idmap.ldb are used, or, if a uid/gidNumber is added to
a user/group, this will be used instead.
Rowland
More information about the samba
mailing list