[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.

Sun Jul 24 20:01:13 UTC 2022

On Sun, 2022-07-24 at 18:42 +0000, Geoff Bland via samba wrote:
> I have an UNRAID server, UNRAID allows shares with Samba via Windows
> AD access rights.
> 
> I have recently upgraded to the latest UNRAID server version, 6.10.2
> and now several of my Windows users cannot connect to any shares on
> UNRAID - most can however.
> 
> I am not the only UNRAID user affected - the same issue has been
> reported several times on the UNRAID forum with users upgrading to
> the same version. Unfortunately none of us are Samba experts.
> 
> We have had no solution to this yet but it was suggested that we
> should try asking on the Samba forums to see if anyone there has any
> idea.
> For my setup (other UNRAID users have different setups but the same
> issues) I have 2 Windows Server 2022 boxes running as domain
> controllers. Both also run DNS and DHCP. Both have static IP
> addresses. The UNRAID box has the 2 Windows Server for DNS and is
> "joined" to this domain.
> The syslog is continually spitting out this error “Jul 15 21:58:49
> UNRAID01 smbd[****]:   check_account: Failed to convert SID S-1-5-21-
> XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 to a UID (dom_user[DOMAIN\username)”
> for all users with the issue.
> 
> I can do a "wbinfo -n" and that works OK but a "wbinfo -i" fails with
> WBC_ERR_DOMAIN_NOT_FOUND.
> 
> root at UNRAID01:~# wbinfo -n "DOMAIN\\user"
> 
> S-1-5-21- XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 SID_USER (1)
> 
> root at UNRAID01:~# wbinfo -i " DOMAIN\\username"
> 
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Could not get info for user DOMAIN\username
> 
> As far as I can tell the Samba service is connected to the AD domain
> and the idmap mappings are set correctly, I think these are the
> relevant samba.conf settings and they all look correct to me(?):
> ntlm auth = Yesworkgroup = SHORTDOMAINNAMErealm = FQDOMAINNAMEidmap
> config * : backend = hashidmap config * : range = 10000-
> 4000000000winbind use default domain = Yesldap ssl = Nont acl support
> = Yesacl map full control = Yesacl group control = Yesinherit acls =
> Yesinherit permissions = Yesmap acl inherit = Yesdos filemode =
> Yesstore dos attributes = Yes
> 
> Samba in use is 4.15.7 
> root at UNRAID01:~# smbd -VVersion 4.15.7 
> Why are we getting this “Failed to convert SID” error for some of our
> users? What should I investigate next?

The 'idmap config * : backend = hash' sort of jumped out at me, but now
that I have had more time to decipher and examine the smb.conf, I have
a few questions:

Is the UNRAID machine supposed to be joined to the domain ?
If not, then why not ? 
Also, if it isn't joined to the domain, why is Winbind running ?
If winbind isn't running, why do you have the 'idmap config' lines ?

If the machine is supposed to be joined to the domain, then that
smb.conf is quite possibly the worst one I have ever seen.

Rowland