[Samba] NT_STATUS_INVALID_SID
Andrew Bartlett
abartlet at samba.org
Sat Oct 29 18:39:33 UTC 2016
On Sat, 2016-10-29 at 11:24 +0100, Rowland Penny via samba wrote:
> On Sat, 29 Oct 2016 22:31:22 +1300
> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
>
> >
> > On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba
> > wrote:
> > >
> > > Hi Rowland,
> > >
> > > Just to let you know, we removed all the idmap entries we
> > > had
> > > on the smb.conf of our
> > > two DCs and the ids reported by getent passwd at the DCs were in
> > > the
> > > 3.000.000 range, as
> > > you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get
> > > the user listing with
> > > the original numbers on the DCs.
> > >
> > > Here's what we commented out on the configurationfiles.
> > >
> > > # Default idmap config used for BUILTIN and local
> > > accounts/groups
> > > #idmap config *:backend = ad
> > > #idmap config *:range = 2000-9999
> > >
> > > # idmap config for domain E-TRUST
> > > #idmap config E-TRUST:backend = ad
> > > #idmap config E-TRUST:schema_mode = rfc2307
> > > #idmap config E-TRUST:range = 10000-40000
> > > #idmap cache time = 1
> > > #idmap negative cache time = 1
> > > #winbind cache time = 1
> > > idmap_ldb:use rfc2307 = yes
> > >
> > > Regards,
> > > Vinicius.
> >
> > Can you confirm that it still fails with that configuration?
> >
> > You may need to flush the caches. 'net cache flush'.
> >
> > I certainly can see how having those set would have broken things,
> > because we now enforce the range if set whereas 4.4 just ignored
> > them.
> >
> > Thanks,
> >
> > Andrew Bartlett
>
> Are you saying that the 'idmap config' lines as used on a domain
> member
> are now supposed to work on a DC ?
No. But a patch for this bug was landed:
https://bugzilla.samba.org/show_bug.cgi?id=12155
> From my testing on version 4.5.0, they still do nothing, either the
> xidNumbers from idmap.ldb are used, or, if a uid/gidNumber is added
> to
> a user/group, this will be used instead.
The impact of this, if I read the code correctly, is a frustrating
intersection of enforcing the range, but only in addition to what is
otherwise configured in the databases.
We will know more when (for example) a user finds that reverting this
patch fixes things, or applying it to 4.4 breaks it.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list