[Samba] string_to_sid: SI is not in a valid format

Rowland Penny rpenny at samba.org
Fri Dec 29 10:20:14 UTC 2017 

First, can you please keep this onlist.

On Thu, 28 Dec 2017 20:36:19 -0500
Matt Savin <matt at tegers.com> wrote:

> Rowland,
> 
> Thank you for your reply. Below is a global part of the smb.conf file:
> 
> [global]
>   workgroup = DOMAINNAME
>   security = ads
>   realm = DOMAINNAME.LOCAL
>   kerberos method = secrets and keytab
>   kerberos encryption types = all
>   dedicated keytab file = /etc/krb5.keytab
> 
>   nt pipe support = no
> 
>   netbios name = HOSTNAME
>   disable netbios = yes
>   local master = no
>   smb ports = 445
>   dns proxy = no
> 
>   encrypt passwords = yes
>   ldap server require strong auth = no
>   client ldap sasl wrapping = plain
> 
>   idmap config * : range = 16777216-33554431
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config DOMAINNAME:backend = ad
>   idmap config DOMAINNAME:schema_mode = rfc2307
>   idmap config DOMAINNAME:range = 80001-3100000
>   idmap config DOMAINNAME:unix_primary_group = yes
>   idmap config DOMAINNAME:unix_nss_info = yes
> 
>   winbind refresh tickets = Yes
>   winbind use default domain = true
>   winbind trusted domains only = no
>   winbind offline logon = false
>   winbind nss info = rfc2307
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind expand groups = 1
>   allow trusted domains = no
> 
>   inherit permissions = yes
>   acl allow execute always = yes
>   follow symlinks = yes
>   wide links = yes
>   unix extensions = no
>   hide dot files = no
>   map archive = no
> 
>   load printers = no
>   printing = bsd
>   printcap name = /dev/null
>   disable spoolss = yes
> 
>   log level = 3
> 
> Please let me know if you have any questions.
> 
> Thank you,
> Matt
> 
> 

You might as well remove these, they are either default settings,duplicates or plain shouldn't be there.

  encrypt passwords = yes
  ldap server require strong auth = no
  client ldap sasl wrapping = plain
  idmap config * : range = 16777216-33554431
  winbind trusted domains only = no
  winbind offline logon = false
  winbind nss info = rfc2307
  winbind enum users  = yes
  winbind enum groups = yes
  follow symlinks = yes


These, whilst valid, should really be in shares.

  inherit permissions = yes
  acl allow execute always = yes
  wide links = yes
  hide dot files = no
  map archive = no

Other than that, there doesn't seem to be anything else wrong, as long
as you have given your users a uidNumber containing a unique id inside
the 80001-3100000 range, you have also given them a gidNumber attribute
containing a number inside the same range. This gidNumber must be the
gidNumber of a group and this group will be used as the users primary
group instead of Domain Users.

If everything is correct, then you need to search AD for the two names
and see what you get.

Rowland

More information about the samba mailing list