[Samba] Could not convert sid: NT_STATUS_NO_SUCH_USER

[Francesco Malvezzi]

>> well, I have been working on this issue quite a bit, lately.
>>
>> The working recipe for me was:
>> 1) configure sssd to fetch users from ad;
> 
> winbind will do this as well, provided the correct info is in AD.

yes, thank you,

> 
>> 2) configure winbind to fetch sid/uid and sid/gid mappings from nss
>> (with idmap_nss);
> 
> Do you have users & groups in /etc/passwd & /etc/group that are also in
> AD, I ask this because idmap_nss maps Unix users & groups (i.e. those
> in /etc/passwd & /etc/group) to users & groups in AD.

Just one of them. There is a single unix user from /etc/passwd which is
mirrored in AD.

> 
>> 3) provide group 'domain users' with a valid gidNumber:
> 
> And that was your problem all along, Domain Users must have a gidnumber
> attribute if you want to use the winbind 'ad' backend.

yes, checked with idmap_ad and it works now

> 
>> it looks the
>> prescription from idmap_ad "Winbind will only map users that have a
>> uidNumber and whose primary group have a gidNumber attribute set."
>> holds for idmap_nss as well.
>>
>> If you plan to use sssd on Debian, beware of:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772695 (workaround:
>> compile samba by your own).
>>
> 
> That is a 3 year old bug report, a lot has changed in Samba since then,
> mind you I wouldn't use sssd anyway, you do not need it.

your work is great. By the way: with samba-4.8.0 I liked a lot that a
working winbindd is required.

Till now we leveraged the fact we have all users stemming from a single
OpenLDAP server either syncrepl-ed to the samba NT domains or replicated
via lsc to the samba AD domains. When linux servers got nss work with
OpenLDAP, uidnumbers magically matched with samba and it took me often
time to recall how it was possible, because nothing was explicit.

Now we have to run winbind and either through idmap_nss or idmap_ad
configuration files clearly explain what it is happening.

thank you,

Francesco