[Samba] check_account: Failed to convert SID messages in a log

Rowland Penny rpenny at samba.org
Fri Dec 10 16:17:07 UTC 2021 

On Fri, 2021-12-10 at 16:56 +0100, Jan Gregor via samba wrote:
> Hello,
>   after installation of security update in debian buster (samba
> 4.9.5) I
> see in a log file messages like
> 
>  smbd[13923]:   check_account: Failed to convert SID
> S-1-5-21-654011520-1046832706-1751360447-1143 to a UID
> (dom_user[INTERSTAT\is48$])
> 
>  The messages are logged in domain member that acts as a file server
> in AD.
> SID belongs to client computer that connects to the file server, it
> seems
> like samba wants uidNumber also for SID of domain computers. Of
> course
> uidNumber are setup for all domain users.

It is just telling you that it cannot convert a computer SID to a UID,
probably because the computer does not have a uidNumber attribute.
A computer object is very similar to a user object, mainly one more
objectclass (objectclass: computer) and the primaryGroupID is '515'
instead of '513'

> 
>  Content of smbd.conf in domain member is ...
> 
> [global]
>         netbios name = SRV2
>         realm = AD.INTERSTAT.CZ
>         server role = member server
>         workgroup = INTERSTAT
>         idmap_ldb:use rfc2307 = yes

You only use that line on a DC

> 
>         username map = /etc/samba/user.map
> 
>         printing = CUPS
>         rpc_server:spoolss = external
>         rpc_daemon:spoolssd = fork
>         spoolss: architecture = Windows x64
> 
>         security = ADS
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
> 
>         idmap config INTERSTAT:backend = ad
>         idmap config INTERSTAT:schema_mode = rfc2307
>         idmap config INTERSTAT:range = 10000-999999
>         idmap config INTERSTAT:unix_nss_info = yes
> 
>         map acl inherit = yes
>         store dos attributes = yes
> 
> 
>         winbind enum users = yes
>         winbind enum groups = yes

I would turn those lines off, they really only slow things down.

>         winbind use default domain = yes
> 
>         acl allow execute always = yes
> 
>         #minumum uid that can be mapped to domain user, should be 0
> to map
> domain administrator
>         min domain uid = 0

You do not seem to have 'vfs objects = acl_xattr' set

Rowland

More information about the samba mailing list