[Samba] check_account: Failed to convert SID to a UID

Rowland Penny rpenny at samba.org
Tue Jan 18 12:17:25 UTC 2022


On Tue, 2022-01-18 at 11:57 +0000, Dermot via samba wrote:
>  Hi
> 
> 
> *smdb, winbindd Version 4.13.14-Ubuntu 20.4.3 LTS *
> 
> I am struggling to get a newly installed AD member server to allow
> access
> to its shares. I am seeing this error in the connecting hosts log
> file:
> "check_account: Failed to convert SID
> S-1-5-21-4100087049-264025-2419064500-1164
> to a UID (dom_user[MYDOM\auser])"
> 
> The log.winbindd-idmap file has this error:
> Error allocating a new GID
> Fatal Error: GID range full!! (max: 7999)
> 
> `wbinfo -u` returns a list of users. However `wbinfo -i` gives the
> following warning:
> 
> Name              :  MYDOM
> Alt_Name          : mydom.local
> SID               : S-1-5-21-4119587049-2642091325-2419064500
> Active Directory  : Yes
> Native            : Yes
> Primary           : Yes
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user auser
> 
> Another worrying sign is that `getent passwd auser` returns nothing.
> 
> I thought I'd set-up the server correctly following
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> instructions but perhaps I've missed something.

No you haven't set up your smb.conf correctly.

> 
> Can anyone offer any suggestions?
> Thanks in advance,
> Dermot
> 
> 
> ==========
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
>         load printers = No
>         log file = /var/log/samba/log.%m
>         logging = file
>         map to guest = Bad User
>         max log size = 1000
>         obey pam restrictions = Yes
>         panic action = /usr/share/samba/panic-action %d
>         realm = MYDOM.LOCAL
>         security = ADS
>         server role = member server
>         server string = %h server (Samba,  Server)
>         template shell = /bin/bash
>         unix extensions = No
>         usershare allow guests = Yes
>         winbind use default domain = Yes
>         wins server = 192.168.0.134
>         workgroup = MYDOM
>         idmap config MYDOM.local : range = 100000-999999
>         idmap config MYDOM.local : backend = tdb

Where, on the page you linked to, does it say to use the REALM and
'tdb' for the main domain ?

>         idmap config * : range = 3000-7999

Guess where all you users and groups are ?

The other question is, you are showing '.local' as your TLD, if this
isn't sanitisation, then why ?

Set your domain lines like this:

        idmap config MYDOM : range = 100000-999999
        idmap config MYDOM : backend = rid

Rowland




More information about the samba mailing list