[Samba] Could not convert sid: NT_STATUS_NO_SUCH_USER

Francesco Malvezzi francesco.malvezzi at unimore.it
Tue Apr 3 08:51:09 UTC 2018

Il 21/02/18 16:20, L.P.H. van Belle ha scritto:
> Hai, 
> Thank you for having trust in my packages.. :-) 
> Now if you use my package, i suggest, do read the howto's also... 
> All you need for a good setup on debian stretch is there.
> if anyone find/see's improvements, please tell me... Or change it on github, thats why its there.
> First is this an upgraded domain? Or a new domain?
> What does `getent passwd username` tell you. 
> Same for `id username`
> I would try the following. 
> Run: net cache flush and try again, if that does not work then check then next..
> Review your config base on this member howto. 
> https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt 
> That is a 100% working setup for stretch, if you did use it, then you missed something. 
> .. You are missing some things in your smb.conf.. 
> Like (optional)
>     	idmap config NTDOM : unix_nss_info = yes
> 	# set this one and run net cache flush again. 
> And 
> 	# User Administrator workaround, without it you are unable to set privileges
> 	# !Note: When using the AD ID mapping back end, do not set the uidNumber attribute for the domain administrator account. 
> 	# If the account has the attribute set, the value overrides the local UID 0 of the root user and thus the mapping fails.
> 	username map = /etc/samba/samba_usermapping

well, I have been working on this issue quite a bit, lately.

The working recipe for me was:
1) configure sssd to fetch users from ad;
2) configure winbind to fetch sid/uid and sid/gid mappings from nss
(with idmap_nss);
3) provide group 'domain users' with a valid gidNumber: it looks the
prescription from idmap_ad "Winbind will only map users that have a
uidNumber and whose primary group have a gidNumber attribute set." holds
for idmap_nss as well.

If you plan to use sssd on Debian, beware of:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772695 (workaround:
compile samba by your own).



More information about the samba mailing list