[Samba] check_account: Failed to convert SID to a UID
Rowland Penny
rpenny at samba.org
Tue Jan 18 14:33:17 UTC 2022
On Tue, 2022-01-18 at 13:19 +0000, Dermot via samba wrote:
> On Tue, 18 Jan 2022 at 12:18, Rowland Penny via samba <
>
> >
> > Where, on the page you linked to, does it say to use the REALM and
> > 'tdb' for the main domain ?
> >
>
> On this page https://wiki.samba.org/index.php/Idmap_config_rid
>
> I think* the problem was with whitespace in the config file. The file
> looked like this:
>
> ..
> idmap config * : backend = tdb
> idmap config * : range = 3001-7999
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 100000-999999
>
> Once I remove the excess space and `smbcontol all reload-config &&
> testparam /etc/samba/smb.conf`, the output looked like this:
>
> log file = /var/log/samba/log.%m
> logging = file
> map to guest = Bad User
> max log size = 1000
> obey pam restrictions = Yes
> panic action = /usr/share/samba/panic-action %d
> realm = SCIENCEPHOTO.LOCAL
> security = ADS
> server role = member server
> server string = %h server (Samba, Image Server)
> template homedir = /home/%U
> template shell = /bin/bash
> unix extensions = No
> usershare allow guests = Yes
> winbind use default domain = Yes
> wins server = 192.168.0.134
'wins' on an AD DC ? AD uses DNS.
> workgroup = SCIENCEPHOTO
> idmap config sciencephoto : range = 100000-999999
> idmap config sciencephoto : backend = rid
> idmap config * : range = 3001-7999
> idmap config * : backend = tdb
That's better
> > The other question is, you are showing '.local' as your TLD, if
> > this
> > isn't sanitisation, then why ?
> >
>
> .local' is the TLD for the AD server. It has an cname/alias when the
> domain
> was set-up decades ago. It was given that TLD as it required one and
> wanted
> to be authoritative for that domain. We didn't want it being
> authoritative
> for our '.com' TLD.
Then you should have used a subdomain e.g. ad.domain.com
>
>
> > Set your domain lines like this:
> >
> > idmap config MYDOM : range = 100000-999999
> > idmap config MYDOM : backend = rid
> >
> > Rowland
> >
> >
> I'm getting a slightly different error message now:
>
> check_account: Failed to find local account with UID 101187 for SID
> S-1-5-21-4119587049-2642091325-2419064500-1187
> (dom_user[MYDOM\auser])
Is libnss-winbind set up correctly, or to put it another way, have you
installed the following packages:
libnss-winbind libpam-winbind libpam-krb5
And set winbind in the passwd & group lines in /etc/nsswitch.conf
Rowland
More information about the samba
mailing list