[Samba] NT_STATUS_INVALID_SID

Ryan Ashley ryana at reachtechfp.com
Sat Oct 29 14:02:14 UTC 2016 

Thank you for the replies, but at 1800hrs Thursday night I wiped
everything and started with a fresh build of 4.4 stable. By 2300hrs I
had a stable AD setup. I will wait until 4.5 is worked out a bit more
before upgrading, and I will probably test it in a virtual environment
via VirtualBox first.

Andrew, thank you for taking the time to respond. I expect issues from
time to time. You guys are an open-source community and the odds that
you can test every configuration of hardware, OS, and software is
virtually non-existent. I do appreciate the effort you and the Samba
team, as well as the member who help on this list (Rowland seems to be
on here almost 24hrs a day) put into the project. Thanks!

Finally, I too would like to know if the settings are going to be
honored in 4.5 and beyond. If so, how would the migration from 4.4 to a
newer version go if we do not have those lines in our current
configuration file?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/29/2016 06:24 AM, Rowland Penny via samba wrote:
> On Sat, 29 Oct 2016 22:31:22 +1300
> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> 
>> On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba
>> wrote:
>>> Hi Rowland,
>>>
>>>      Just to let you know, we removed all the idmap entries we had
>>> on the smb.conf of our 
>>> two DCs and the ids reported by getent passwd at the DCs were in the
>>> 3.000.000 range, as 
>>> you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get
>>> the user listing with 
>>> the original numbers on the DCs.
>>>
>>> Here's what we commented out on the configurationfiles.
>>>
>>>          # Default idmap config used for BUILTIN and local
>>> accounts/groups
>>>          #idmap config *:backend = ad
>>>          #idmap config *:range = 2000-9999
>>>
>>>          # idmap config for domain E-TRUST
>>>          #idmap config E-TRUST:backend = ad
>>>          #idmap config E-TRUST:schema_mode = rfc2307
>>>          #idmap config E-TRUST:range = 10000-40000
>>>          #idmap cache time = 1
>>>          #idmap negative cache time = 1
>>>          #winbind cache time = 1
>>>          idmap_ldb:use rfc2307 = yes
>>>
>>> Regards,
>>> Vinicius.
>>
>> Can you confirm that it still fails with that configuration?
>>
>> You may need to flush the caches.  'net cache flush'.
>>
>> I certainly can see how having those set would have broken things,
>> because we now enforce the range if set whereas 4.4 just ignored
>> them. 
>>
>> Thanks,
>>
>> Andrew Bartlett
> 
> Are you saying that the 'idmap config' lines as used on a domain member
> are now supposed to work on a DC ?
> From my testing on version 4.5.0, they still do nothing, either the
> xidNumbers from idmap.ldb are used, or, if a uid/gidNumber is added to
> a user/group, this will be used instead.
> 
> Rowland
>  
> 
>

More information about the samba mailing list