[Samba] Contingency server permission error

Rowland Penny rpenny at samba.org
Sat Dec 10 12:04:40 UTC 2022 


On 10/12/2022 10:52, Luis Peromarta via samba wrote:
> Dear all,
> 
> I have a file server (domain member) running Version 4.9.5-Debian for a good few year now. 3 DCs running samba 4.17. No issues whatsoever except for these errors in logs: (192.168.0.9.log)
> 
> [2022/12/10 11:17:06.937222,  0] ../source3/auth/auth_util.c:1897(check_account)
>    check_account: Failed to convert SID S-1-5-21-2152908145-95474353-1514027631-6608 to a UID (dom_user[MAD\itpc01$])
> 
> System seems to just work fine.
> 
> If you try
> 
> #wbinfo --sid-to-uid S-1-5-21-2152908145-95474353-1514027631-6608
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-2152908145-95474353-1514027631-6608 to uid
> 
> 
> I am not sure if this is very important or not. All is working just fine.
> 
> smb.conf is:
> 
> [global]
>         security = ADS
>         workgroup = MAD
>         realm = MAD.MATER.INT
>         netbios name = SERVER
>         log file = /var/log/samba/%m.log
> 
> # To enable Group Policy application in winbind,
> 	apply group policies = yes
> 
> # Configure Samba to Work Better with Mac OS X
> 	min protocol = SMB2
> 	ea support = yes
> 	vfs objects = fruit streams_xattr
> 	fruit:aapl = yes
> 	fruit:metadata = stream
> 	fruit:model = RackMac
> 	fruit:posix_rename = yes
> 	fruit:veto_appledouble = yes
> 	fruit:wipe_intentionally_left_blank_rfork = yes
> 	fruit:delete_empty_adfiles = yes
> 
>         # Default ID mapping configuration for local BUILTIN accounts
> 
> 	idmap config * : backend = tdb
> 	idmap config * : range = 3000-7999
> 
> 	# idmap config for the MAD domain
> 
> 	idmap config MAD:backend = ad
> 	idmap config MAD:schema_mode = rfc2307
> 	idmap config MAD:range = 10000-999999
> 
> 	# winbind config:
> 
> 	winbind nss info = rfc2307
> 	winbind use default domain = yes
> #	winbind enum users = yes
> #	winbind enum groups = yes
> 
> 	# renew the kerberos ticket
> 
> 	winbind refresh tickets = Yes
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> #	username map = /etc/samba/user.map
> 
> 	# To configure shares using extended access control lists (ACL)
> 	vfs objects = acl_xattr
> 	map acl inherit = yes
> 	store dos attributes = yes
> 
> 	# Veto Files
>          veto files = /Thumbs.db/.DS_Store/._.DS_Store/.com.apple*/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/$
>          delete veto files = yes
> 
> [personales]
> 	path = /home/users/
> 	read only = no
> 	hide unreadable = yes
> 	hide unwriteable files = yes
> #	browseable = no
> 
> [shares]
> 	path = /home2/shares/
> 	read only = no
> 	hide unreadable = yes
> 	hide unwriteable files = yes
> 
> 
> 
> Any ideas on why this errors are showing up ?
> 

Yes.

Oh, you mean, 'will someone explain why this is happening' :-D

You are using the 'ad' backend and your user 'itpc01$' is a special 
user, this is because it is a computer (the only real difference between 
a user and a computer in AD, is one objectclass 'objectclass=computer'). 
You cannot get a UID for various reasons, the most obvious one is that 
you probably haven't given your computers a uidNumber attribute.

There is nothing to worry about.

Rowland

More information about the samba mailing list