[Samba] check_account: Failed to convert SID messages in a log
rpenny at samba.org
Fri Dec 10 16:17:07 UTC 2021
On Fri, 2021-12-10 at 16:56 +0100, Jan Gregor via samba wrote:
> after installation of security update in debian buster (samba
> 4.9.5) I
> see in a log file messages like
> smbd: check_account: Failed to convert SID
> S-1-5-21-654011520-1046832706-1751360447-1143 to a UID
> The messages are logged in domain member that acts as a file server
> in AD.
> SID belongs to client computer that connects to the file server, it
> like samba wants uidNumber also for SID of domain computers. Of
> uidNumber are setup for all domain users.
It is just telling you that it cannot convert a computer SID to a UID,
probably because the computer does not have a uidNumber attribute.
A computer object is very similar to a user object, mainly one more
objectclass (objectclass: computer) and the primaryGroupID is '515'
instead of '513'
> Content of smbd.conf in domain member is ...
> netbios name = SRV2
> realm = AD.INTERSTAT.CZ
> server role = member server
> workgroup = INTERSTAT
> idmap_ldb:use rfc2307 = yes
You only use that line on a DC
> username map = /etc/samba/user.map
> printing = CUPS
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
> spoolss: architecture = Windows x64
> security = ADS
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config INTERSTAT:backend = ad
> idmap config INTERSTAT:schema_mode = rfc2307
> idmap config INTERSTAT:range = 10000-999999
> idmap config INTERSTAT:unix_nss_info = yes
> map acl inherit = yes
> store dos attributes = yes
> winbind enum users = yes
> winbind enum groups = yes
I would turn those lines off, they really only slow things down.
> winbind use default domain = yes
> acl allow execute always = yes
> #minumum uid that can be mapped to domain user, should be 0
> to map
> domain administrator
> min domain uid = 0
You do not seem to have 'vfs objects = acl_xattr' set
More information about the samba