[Samba] Contingency server permission error

Luis Peromarta lperoma at icloud.com
Sat Dec 10 14:24:33 UTC 2022 

Cheers Rowland. Always learning something. 

All the best. 

Sent from my iPhone

> On 10 Dec 2022, at 12:05, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> 
> 
>> On 10/12/2022 10:52, Luis Peromarta via samba wrote:
>> Dear all,
>> I have a file server (domain member) running Version 4.9.5-Debian for a good few year now. 3 DCs running samba 4.17. No issues whatsoever except for these errors in logs: (192.168.0.9.log)
>> [2022/12/10 11:17:06.937222,  0] ../source3/auth/auth_util.c:1897(check_account)
>>   check_account: Failed to convert SID S-1-5-21-2152908145-95474353-1514027631-6608 to a UID (dom_user[MAD\itpc01$])
>> System seems to just work fine.
>> If you try
>> #wbinfo --sid-to-uid S-1-5-21-2152908145-95474353-1514027631-6608
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid S-1-5-21-2152908145-95474353-1514027631-6608 to uid
>> I am not sure if this is very important or not. All is working just fine.
>> smb.conf is:
>> [global]
>>        security = ADS
>>        workgroup = MAD
>>        realm = MAD.MATER.INT
>>        netbios name = SERVER
>>        log file = /var/log/samba/%m.log
>> # To enable Group Policy application in winbind,
>>    apply group policies = yes
>> # Configure Samba to Work Better with Mac OS X
>>    min protocol = SMB2
>>    ea support = yes
>>    vfs objects = fruit streams_xattr
>>    fruit:aapl = yes
>>    fruit:metadata = stream
>>    fruit:model = RackMac
>>    fruit:posix_rename = yes
>>    fruit:veto_appledouble = yes
>>    fruit:wipe_intentionally_left_blank_rfork = yes
>>    fruit:delete_empty_adfiles = yes
>>        # Default ID mapping configuration for local BUILTIN accounts
>>    idmap config * : backend = tdb
>>    idmap config * : range = 3000-7999
>>    # idmap config for the MAD domain
>>    idmap config MAD:backend = ad
>>    idmap config MAD:schema_mode = rfc2307
>>    idmap config MAD:range = 10000-999999
>>    # winbind config:
>>    winbind nss info = rfc2307
>>    winbind use default domain = yes
>> #    winbind enum users = yes
>> #    winbind enum groups = yes
>>    # renew the kerberos ticket
>>    winbind refresh tickets = Yes
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>> #    username map = /etc/samba/user.map
>>    # To configure shares using extended access control lists (ACL)
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>    store dos attributes = yes
>>    # Veto Files
>>         veto files = /Thumbs.db/.DS_Store/._.DS_Store/.com.apple*/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/$
>>         delete veto files = yes
>> [personales]
>>    path = /home/users/
>>    read only = no
>>    hide unreadable = yes
>>    hide unwriteable files = yes
>> #    browseable = no
>> [shares]
>>    path = /home2/shares/
>>    read only = no
>>    hide unreadable = yes
>>    hide unwriteable files = yes
>> Any ideas on why this errors are showing up ?
> 
> Yes.
> 
> Oh, you mean, 'will someone explain why this is happening' :-D
> 
> You are using the 'ad' backend and your user 'itpc01$' is a special user, this is because it is a computer (the only real difference between a user and a computer in AD, is one objectclass 'objectclass=computer'). You cannot get a UID for various reasons, the most obvious one is that you probably haven't given your computers a uidNumber attribute.
> 
> There is nothing to worry about.
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list