[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.

Mon Jul 25 06:46:54 UTC 2022

On Sun, 2022-07-24 at 21:36 +0000, Geoff Bland via samba wrote:
> Firstly, thanks for the quick reply. 
> > Is the UNRAID machine supposed to be joined to the domain ?Yes, it
> > is meant to be joined to the domain - although I am not 100% what
> > "joined" means in terms of UNRAID. I can see the server exists in
> > the AD domain machines (and also DNS & DHCP obviously) and the
> > account used to connect to the domain "unraid" is a valid AD user
> > account with Domain Admin access.
> > If the machine is supposed to be joined to the domain, then that
> > smb.conf is quite possibly the worst one I have ever seen.Please
> > bear in mind that there is more in the smb.conf file - I just
> > extracted what I thought were the only relevant lines for this
> > issue.
> > I take it that UNRAID creates the smb.conf and if they did, did
> > they not read 'man idmap_hash' ? If they did, they would have found
> > at the top: DO NOT USE THIS PLUGIN
> Yes, the smb.conf is created by UNRAID. Configuration of UNRAID is by
> its web pages so in theory users don’t get their hands dirty with
> .conf files. Although there is some scope to add extra SMB settings
> via the web page there’s no documentation I can find on this in the
> UNRAID documents.
> I had seen the following warnings in the syslog as well “Jul 24
> 21:02:06 UNRAID01 winbindd[4248]:   idmap_hash_initialize: The
> idmap_hash module is deprecated and should not be used. Please
> migrate to a different plugin. This module will be removed in a
> future version of Samba”. But I am no expert on Samba took this to
> mean this was deprecated – so although not good at least worked for
> now – so discounted this as the problem.
> But given what you have said I have changed the config now to 
> idmap config * : backend = tdbidmap config * : range = 1000-
> 4000000000 via the “Extra SMB Settings” on UNRAID settings. 
> I then I restarted the UNRAID server (restarting just the Samba
> service did not seem to work). Now I can log onto the UNRAID share
> and see the mounts.
> However now checking further it appears that all the access rights to
> all files and directories on the shares are now all messed up and
> will need correcting. 
> But at least now I can log in. So thanks for your help.

The idmap 'hash' backend was deprecated 5 years ago and shouldn't be
used.

You need 'idmap config' lines for the 'SHORTDOMAINNAME' domain, I would
suggest using the idmap 'rid' backend.

If you can post the entire smb.conf, I will suggest alterations that
you can make, you could then pass these on to UNRAID.

Rowland