[Samba] string_to_sid: SI is not in a valid format

Matt Savin matt at tegers.com
Fri Dec 29 17:54:27 UTC 2017


Rowland,

Sorry for the personal reply: my email default is set to reply to the
sender only.
Removing all the lines from smb.conf you suggested didn't resolve the
issue, still getting the same messages in the log.
I'll have to put back:
winbind enum users = yes
winbind enum groups = yes

because without these lines commands:
getent passwd
getent group

return only local passwd and group entries, I prefer it to list AD entries
also.

Any other suggestions?

Thank you very much for your help,
Matt

On Fri, Dec 29, 2017 at 5:20 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

>
> First, can you please keep this onlist.
>
> On Thu, 28 Dec 2017 20:36:19 -0500
> Matt Savin <matt at tegers.com> wrote:
>
> > Rowland,
> >
> > Thank you for your reply. Below is a global part of the smb.conf file:
> >
> > [global]
> >   workgroup = DOMAINNAME
> >   security = ads
> >   realm = DOMAINNAME.LOCAL
> >   kerberos method = secrets and keytab
> >   kerberos encryption types = all
> >   dedicated keytab file = /etc/krb5.keytab
> >
> >   nt pipe support = no
> >
> >   netbios name = HOSTNAME
> >   disable netbios = yes
> >   local master = no
> >   smb ports = 445
> >   dns proxy = no
> >
> >   encrypt passwords = yes
> >   ldap server require strong auth = no
> >   client ldap sasl wrapping = plain
> >
> >   idmap config * : range = 16777216-33554431
> >   idmap config *:backend = tdb
> >   idmap config *:range = 70001-80000
> >   idmap config DOMAINNAME:backend = ad
> >   idmap config DOMAINNAME:schema_mode = rfc2307
> >   idmap config DOMAINNAME:range = 80001-3100000
> >   idmap config DOMAINNAME:unix_primary_group = yes
> >   idmap config DOMAINNAME:unix_nss_info = yes
> >
> >   winbind refresh tickets = Yes
> >   winbind use default domain = true
> >   winbind trusted domains only = no
> >   winbind offline logon = false
> >   winbind nss info = rfc2307
> >   winbind enum users  = yes
> >   winbind enum groups = yes
> >   winbind expand groups = 1
> >   allow trusted domains = no
> >
> >   inherit permissions = yes
> >   acl allow execute always = yes
> >   follow symlinks = yes
> >   wide links = yes
> >   unix extensions = no
> >   hide dot files = no
> >   map archive = no
> >
> >   load printers = no
> >   printing = bsd
> >   printcap name = /dev/null
> >   disable spoolss = yes
> >
> >   log level = 3
> >
> > Please let me know if you have any questions.
> >
> > Thank you,
> > Matt
> >
> >
>
> You might as well remove these, they are either default
> settings,duplicates or plain shouldn't be there.
>
>   encrypt passwords = yes
>   ldap server require strong auth = no
>   client ldap sasl wrapping = plain
>   idmap config * : range = 16777216-33554431
>   winbind trusted domains only = no
>   winbind offline logon = false
>   winbind nss info = rfc2307
>   winbind enum users  = yes
>   winbind enum groups = yes
>   follow symlinks = yes
>
>
> These, whilst valid, should really be in shares.
>
>   inherit permissions = yes
>   acl allow execute always = yes
>   wide links = yes
>   hide dot files = no
>   map archive = no
>
> Other than that, there doesn't seem to be anything else wrong, as long
> as you have given your users a uidNumber containing a unique id inside
> the 80001-3100000 range, you have also given them a gidNumber attribute
> containing a number inside the same range. This gidNumber must be the
> gidNumber of a group and this group will be used as the users primary
> group instead of Domain Users.
>
> If everything is correct, then you need to search AD for the two names
> and see what you get.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list