[Samba] check_account: Failed to convert SID to a UID

Dermot paikkos at googlemail.com
Tue Jan 18 15:02:21 UTC 2022 

On Tue, 18 Jan 2022 at 14:33, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Tue, 2022-01-18 at 13:19 +0000, Dermot via samba wrote:
> > On Tue, 18 Jan 2022 at 12:18, Rowland Penny via samba <
> >
> > >
> > > Where, on the page you linked to, does it say to use the REALM and
> > > 'tdb' for the main domain ?
> > >
> >
> > On this page https://wiki.samba.org/index.php/Idmap_config_rid
> >
> > I think* the problem was with whitespace in the config file. The file
> > looked like this:
> >
> > ..
> > idmap config * :              backend = tdb
> > idmap config * :              range   = 3001-7999
> > idmap config MYDOM : backend = rid
> > idmap config MYDOM : range   = 100000-999999
> >
>
> > Once I remove the excess space and `smbcontol all reload-config &&
> > testparam /etc/samba/smb.conf`, the output looked like this:
> >
> >         log file = /var/log/samba/log.%m
> >         logging = file
> >         map to guest = Bad User
> >         max log size = 1000
> >         obey pam restrictions = Yes
> >         panic action = /usr/share/samba/panic-action %d
> >         realm = SCIENCEPHOTO.LOCAL
> >         security = ADS
> >         server role = member server
> >         server string = %h server (Samba, Image Server)
> >         template homedir = /home/%U
> >         template shell = /bin/bash
> >         unix extensions = No
> >         usershare allow guests = Yes
> >         winbind use default domain = Yes
> >         wins server = 192.168.0.134
>
> 'wins' on an AD DC ? AD uses DNS.
>
> >         workgroup = SCIENCEPHOTO
> >         idmap config sciencephoto : range = 100000-999999
> >         idmap config sciencephoto : backend = rid
> >         idmap config * : range = 3001-7999
> >         idmap config * : backend = tdb
>
> That's better
>
> > > The other question is, you are showing '.local' as your TLD, if
> > > this
> > > isn't sanitisation, then why ?
> > >
> >
> > .local' is the TLD for the AD server. It has an cname/alias when the
> > domain
> > was set-up decades ago. It was given that TLD as it required one and
> > wanted
> > to be authoritative for that domain. We didn't want it being
> > authoritative
> > for our '.com' TLD.
>
> Then you should have used a subdomain e.g. ad.domain.com
>
> That's going to be challenging to correct now.


> >
> >
> > > Set your domain lines like this:
> > >
> > >         idmap config MYDOM : range = 100000-999999
> > >         idmap config MYDOM : backend = rid
> > >
> > > Rowland
> > >
> > >
> > I'm getting a slightly different error message now:
> >
> >  check_account: Failed to find local account with UID 101187 for SID
> > S-1-5-21-4119587049-2642091325-2419064500-1187
> > (dom_user[MYDOM\auser])
>
> Is libnss-winbind set up correctly, or to put it another way, have you
> installed the following packages:
> libnss-winbind libpam-winbind libpam-krb5
>

Bingo!  I was missing libnss-winbind and libpam-winbind.

All working now. Thank you Rowland.


> And set winbind in the passwd & group lines in /etc/nsswitch.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list