[Samba] NT_STATUS_INVALID_SID

Rowland Penny rpenny at samba.org
Sat Oct 29 10:24:18 UTC 2016


On Sat, 29 Oct 2016 22:31:22 +1300
Andrew Bartlett via samba <samba at lists.samba.org> wrote:

> On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba
> wrote:
> > Hi Rowland,
> > 
> >      Just to let you know, we removed all the idmap entries we had
> > on the smb.conf of our 
> > two DCs and the ids reported by getent passwd at the DCs were in the
> > 3.000.000 range, as 
> > you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get
> > the user listing with 
> > the original numbers on the DCs.
> > 
> > Here's what we commented out on the configurationfiles.
> > 
> >          # Default idmap config used for BUILTIN and local
> > accounts/groups
> >          #idmap config *:backend = ad
> >          #idmap config *:range = 2000-9999
> > 
> >          # idmap config for domain E-TRUST
> >          #idmap config E-TRUST:backend = ad
> >          #idmap config E-TRUST:schema_mode = rfc2307
> >          #idmap config E-TRUST:range = 10000-40000
> >          #idmap cache time = 1
> >          #idmap negative cache time = 1
> >          #winbind cache time = 1
> >          idmap_ldb:use rfc2307 = yes
> > 
> > Regards,
> > Vinicius.
> 
> Can you confirm that it still fails with that configuration?
> 
> You may need to flush the caches.  'net cache flush'.
> 
> I certainly can see how having those set would have broken things,
> because we now enforce the range if set whereas 4.4 just ignored
> them. 
> 
> Thanks,
> 
> Andrew Bartlett

Are you saying that the 'idmap config' lines as used on a domain member
are now supposed to work on a DC ?
From my testing on version 4.5.0, they still do nothing, either the
xidNumbers from idmap.ldb are used, or, if a uid/gidNumber is added to
a user/group, this will be used instead.

Rowland
 




More information about the samba mailing list