[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.

Geoff Bland geoffblanduk at yahoo.co.uk
Sun Jul 24 21:36:03 UTC 2022

Firstly, thanks for the quick reply. 
>Is the UNRAID machine supposed to be joined to the domain ?Yes, it is meant to be joined to the domain - although I am not 100% what "joined" means in terms of UNRAID. I can see the server exists in the AD domain machines (and also DNS & DHCP obviously) and the account used to connect to the domain "unraid" is a valid AD user account with Domain Admin access.
>If the machine is supposed to be joined to the domain, then that smb.conf is quite possibly the worst one I have ever seen.Please bear in mind that there is more in the smb.conf file - I just extracted what I thought were the only relevant lines for this issue.
>I take it that UNRAID creates the smb.conf and if they did, did they not read 'man idmap_hash' ? If they did, they would have found at the top: DO NOT USE THIS PLUGIN
Yes, the smb.conf is created by UNRAID. Configuration of UNRAID is by its web pages so in theory users don’t get their hands dirty with .conf files. Although there is some scope to add extra SMB settings via the web page there’s no documentation I can find on this in the UNRAID documents.
I had seen the following warnings in the syslog as well “Jul 24 21:02:06 UNRAID01 winbindd[4248]:   idmap_hash_initialize: The idmap_hash module is deprecated and should not be used. Please migrate to a different plugin. This module will be removed in a future version of Samba”. But I am no expert on Samba took this to mean this was deprecated – so although not good at least worked for now – so discounted this as the problem.
But given what you have said I have changed the config now to 
idmap config * : backend = tdbidmap config * : range = 1000-4000000000 via the “Extra SMB Settings” on UNRAID settings. 
I then I restarted the UNRAID server (restarting just the Samba service did not seem to work). Now I can log onto the UNRAID share and see the mounts.
However now checking further it appears that all the access rights to all files and directories on the shares are now all messed up and will need correcting. 
But at least now I can log in. So thanks for your help.

More information about the samba mailing list