[Samba] NT_STATUS_INVALID_SID

Andrew Bartlett abartlet at samba.org
Sat Oct 29 18:39:33 UTC 2016


On Sat, 2016-10-29 at 11:24 +0100, Rowland Penny via samba wrote:
> On Sat, 29 Oct 2016 22:31:22 +1300
> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> 
> > 
> > On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba
> > wrote:
> > > 
> > > Hi Rowland,
> > > 
> > >      Just to let you know, we removed all the idmap entries we
> > > had
> > > on the smb.conf of our 
> > > two DCs and the ids reported by getent passwd at the DCs were in
> > > the
> > > 3.000.000 range, as 
> > > you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get
> > > the user listing with 
> > > the original numbers on the DCs.
> > > 
> > > Here's what we commented out on the configurationfiles.
> > > 
> > >          # Default idmap config used for BUILTIN and local
> > > accounts/groups
> > >          #idmap config *:backend = ad
> > >          #idmap config *:range = 2000-9999
> > > 
> > >          # idmap config for domain E-TRUST
> > >          #idmap config E-TRUST:backend = ad
> > >          #idmap config E-TRUST:schema_mode = rfc2307
> > >          #idmap config E-TRUST:range = 10000-40000
> > >          #idmap cache time = 1
> > >          #idmap negative cache time = 1
> > >          #winbind cache time = 1
> > >          idmap_ldb:use rfc2307 = yes
> > > 
> > > Regards,
> > > Vinicius.
> > 
> > Can you confirm that it still fails with that configuration?
> > 
> > You may need to flush the caches.  'net cache flush'.
> > 
> > I certainly can see how having those set would have broken things,
> > because we now enforce the range if set whereas 4.4 just ignored
> > them. 
> > 
> > Thanks,
> > 
> > Andrew Bartlett
> 
> Are you saying that the 'idmap config' lines as used on a domain
> member
> are now supposed to work on a DC ?

No.  But a patch for this bug was landed:

https://bugzilla.samba.org/show_bug.cgi?id=12155

> From my testing on version 4.5.0, they still do nothing, either the
> xidNumbers from idmap.ldb are used, or, if a uid/gidNumber is added
> to
> a user/group, this will be used instead.

The impact of this, if I read the code correctly, is a frustrating
intersection of enforcing the range, but only in addition to what is
otherwise configured in the databases.  

We will know more when (for example) a user finds that reverting this
patch fixes things, or applying it to 4.4 breaks it.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba mailing list