[Samba] check_account: Failed to convert SID to a UID
Dermot
paikkos at googlemail.com
Tue Jan 18 15:02:21 UTC 2022
On Tue, 18 Jan 2022 at 14:33, Rowland Penny via samba <samba at lists.samba.org>
wrote:
> On Tue, 2022-01-18 at 13:19 +0000, Dermot via samba wrote:
> > On Tue, 18 Jan 2022 at 12:18, Rowland Penny via samba <
> >
> > >
> > > Where, on the page you linked to, does it say to use the REALM and
> > > 'tdb' for the main domain ?
> > >
> >
> > On this page https://wiki.samba.org/index.php/Idmap_config_rid
> >
> > I think* the problem was with whitespace in the config file. The file
> > looked like this:
> >
> > ..
> > idmap config * : backend = tdb
> > idmap config * : range = 3001-7999
> > idmap config MYDOM : backend = rid
> > idmap config MYDOM : range = 100000-999999
> >
>
> > Once I remove the excess space and `smbcontol all reload-config &&
> > testparam /etc/samba/smb.conf`, the output looked like this:
> >
> > log file = /var/log/samba/log.%m
> > logging = file
> > map to guest = Bad User
> > max log size = 1000
> > obey pam restrictions = Yes
> > panic action = /usr/share/samba/panic-action %d
> > realm = SCIENCEPHOTO.LOCAL
> > security = ADS
> > server role = member server
> > server string = %h server (Samba, Image Server)
> > template homedir = /home/%U
> > template shell = /bin/bash
> > unix extensions = No
> > usershare allow guests = Yes
> > winbind use default domain = Yes
> > wins server = 192.168.0.134
>
> 'wins' on an AD DC ? AD uses DNS.
>
> > workgroup = SCIENCEPHOTO
> > idmap config sciencephoto : range = 100000-999999
> > idmap config sciencephoto : backend = rid
> > idmap config * : range = 3001-7999
> > idmap config * : backend = tdb
>
> That's better
>
> > > The other question is, you are showing '.local' as your TLD, if
> > > this
> > > isn't sanitisation, then why ?
> > >
> >
> > .local' is the TLD for the AD server. It has an cname/alias when the
> > domain
> > was set-up decades ago. It was given that TLD as it required one and
> > wanted
> > to be authoritative for that domain. We didn't want it being
> > authoritative
> > for our '.com' TLD.
>
> Then you should have used a subdomain e.g. ad.domain.com
>
> That's going to be challenging to correct now.
> >
> >
> > > Set your domain lines like this:
> > >
> > > idmap config MYDOM : range = 100000-999999
> > > idmap config MYDOM : backend = rid
> > >
> > > Rowland
> > >
> > >
> > I'm getting a slightly different error message now:
> >
> > check_account: Failed to find local account with UID 101187 for SID
> > S-1-5-21-4119587049-2642091325-2419064500-1187
> > (dom_user[MYDOM\auser])
>
> Is libnss-winbind set up correctly, or to put it another way, have you
> installed the following packages:
> libnss-winbind libpam-winbind libpam-krb5
>
Bingo! I was missing libnss-winbind and libpam-winbind.
All working now. Thank you Rowland.
> And set winbind in the passwd & group lines in /etc/nsswitch.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list