[Samba] Could not convert sid: NT_STATUS_NO_SUCH_USER
Rowland Penny
rpenny at samba.org
Tue Apr 3 09:44:42 UTC 2018
On Tue, 3 Apr 2018 10:51:09 +0200
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> Il 21/02/18 16:20, L.P.H. van Belle ha scritto:
> > Hai,
> >
> > Thank you for having trust in my packages.. :-)
> > Now if you use my package, i suggest, do read the howto's also...
> > All you need for a good setup on debian stretch is there.
> > if anyone find/see's improvements, please tell me... Or change it
> > on github, thats why its there.
> >
> > First is this an upgraded domain? Or a new domain?
> >
> > What does `getent passwd username` tell you.
> > Same for `id username`
> >
> > I would try the following.
> > Run: net cache flush and try again, if that does not work then
> > check then next..
> >
> >
> >
> > Review your config base on this member howto.
> > https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt
> > That is a 100% working setup for stretch, if you did use it, then
> > you missed something. .. You are missing some things in your
> > smb.conf..
> >
> > Like (optional)
> > idmap config NTDOM : unix_nss_info = yes
> >
> > # set this one and run net cache flush again.
> >
> > And
> > # User Administrator workaround, without it you are unable
> > to set privileges # !Note: When using the AD ID mapping back end,
> > do not set the uidNumber attribute for the domain administrator
> > account. # If the account has the attribute set, the value
> > overrides the local UID 0 of the root user and thus the mapping
> > fails. username map = /etc/samba/samba_usermapping
>
> well, I have been working on this issue quite a bit, lately.
>
> The working recipe for me was:
> 1) configure sssd to fetch users from ad;
winbind will do this as well, provided the correct info is in AD.
> 2) configure winbind to fetch sid/uid and sid/gid mappings from nss
> (with idmap_nss);
Do you have users & groups in /etc/passwd & /etc/group that are also in
AD, I ask this because idmap_nss maps Unix users & groups (i.e. those
in /etc/passwd & /etc/group) to users & groups in AD.
> 3) provide group 'domain users' with a valid gidNumber:
And that was your problem all along, Domain Users must have a gidnumber
attribute if you want to use the winbind 'ad' backend.
> it looks the
> prescription from idmap_ad "Winbind will only map users that have a
> uidNumber and whose primary group have a gidNumber attribute set."
> holds for idmap_nss as well.
>
> If you plan to use sssd on Debian, beware of:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772695 (workaround:
> compile samba by your own).
>
That is a 3 year old bug report, a lot has changed in Samba since then,
mind you I wouldn't use sssd anyway, you do not need it.
Rowland
More information about the samba
mailing list