[Samba] check_account: Failed to convert SID to a UID

Rowland Penny rpenny at samba.org
Tue Jan 18 14:33:17 UTC 2022 

On Tue, 2022-01-18 at 13:19 +0000, Dermot via samba wrote:
> On Tue, 18 Jan 2022 at 12:18, Rowland Penny via samba <
> 
> > 
> > Where, on the page you linked to, does it say to use the REALM and
> > 'tdb' for the main domain ?
> > 
> 
> On this page https://wiki.samba.org/index.php/Idmap_config_rid
> 
> I think* the problem was with whitespace in the config file. The file
> looked like this:
> 
> ..
> idmap config * :              backend = tdb
> idmap config * :              range   = 3001-7999
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range   = 100000-999999
> 

> Once I remove the excess space and `smbcontol all reload-config &&
> testparam /etc/samba/smb.conf`, the output looked like this:
> 
>         log file = /var/log/samba/log.%m
>         logging = file
>         map to guest = Bad User
>         max log size = 1000
>         obey pam restrictions = Yes
>         panic action = /usr/share/samba/panic-action %d
>         realm = SCIENCEPHOTO.LOCAL
>         security = ADS
>         server role = member server
>         server string = %h server (Samba, Image Server)
>         template homedir = /home/%U
>         template shell = /bin/bash
>         unix extensions = No
>         usershare allow guests = Yes
>         winbind use default domain = Yes
>         wins server = 192.168.0.134

'wins' on an AD DC ? AD uses DNS.

>         workgroup = SCIENCEPHOTO
>         idmap config sciencephoto : range = 100000-999999
>         idmap config sciencephoto : backend = rid
>         idmap config * : range = 3001-7999
>         idmap config * : backend = tdb

That's better

> > The other question is, you are showing '.local' as your TLD, if
> > this
> > isn't sanitisation, then why ?
> > 
> 
> .local' is the TLD for the AD server. It has an cname/alias when the
> domain
> was set-up decades ago. It was given that TLD as it required one and
> wanted
> to be authoritative for that domain. We didn't want it being
> authoritative
> for our '.com' TLD.

Then you should have used a subdomain e.g. ad.domain.com

> 
> 
> > Set your domain lines like this:
> > 
> >         idmap config MYDOM : range = 100000-999999
> >         idmap config MYDOM : backend = rid
> > 
> > Rowland
> > 
> > 
> I'm getting a slightly different error message now:
> 
>  check_account: Failed to find local account with UID 101187 for SID
> S-1-5-21-4119587049-2642091325-2419064500-1187
> (dom_user[MYDOM\auser])

Is libnss-winbind set up correctly, or to put it another way, have you
installed the following packages:
libnss-winbind libpam-winbind libpam-krb5

And set winbind in the passwd & group lines in /etc/nsswitch.conf

Rowland

More information about the samba mailing list