[Samba] 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."

[Rowland Penny]

On Fri, 2022-02-18 at 15:39 +0300, Michael Tokarev via samba wrote:
> 18.02.2022 15:32, Peter Eriksson via samba wrote:
> > After upgrading our Sambas to 4.15.5 I’m seeing a _lot_ of errors
> > in the log files about:
> > 
> > Feb 18 13:30:13 filur01 smbd_audit[17892]: [2022/02/18
> > 13:30:13.204710,  0]
> > ../../source3/auth/auth_util.c:1928(check_account)
> > Feb 18 13:30:13 filur01 smbd_audit[17892]:   check_account: Failed
> > to convert SID S-1-5-21-797717765-1715453426-19741283-1903186 to a
> > UID (dom_user[AD\iei-mvs-z-1$])
> 
> This - at least, maybe there are other cases - happens when you have
> AD,
> idmap backend = ad, and idmap schema_mode = rfc2307, where you used
> uidNumber for the unix user id (uid), AND uidNumber attribute is
> missing
> in your data.
> 
> For this to work, you have to have local users of the same name as
> the
> AD ones. Which, as I've been told here (without any explanation),
> should
> not be done.

If you look carefully at the 'usernames' posted, they all end with '$'.
This means that they are not normal users, they are in fact computers.
A computer is a user with an extra objectclass and a different
primaryGroupID, so you have two options here, either add a uidNumber to
the computers object, or just ignore the log messages.

I thought I had explained why you cannot have a local user and a domain
user with the same name, but here goes, lets try again.

If you do have a user in /etc/passwd and AD with the same name, then
depending on how /etc/nsswitch is configured, locally one will be used
and one will be ignored. Samba will always attempt to use the one from
AD, but if the AD user is unknown to the OS, you will get 'denied'
errors. Even if the same username is used locally and in AD, they willbe different users. 

Rowland