[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.
Rowland Penny
rpenny at samba.org
Mon Jul 25 18:23:20 UTC 2022
On Mon, 2022-07-25 at 15:46 +0000, Geoff Bland via samba wrote:
> Thanks for the offer to check out the Unraid SMB configuration files.
> As requested, any values in <>s have been replaced with tokens rather
> the real values.
> Contents of /etc/samba/smb.conf (it is indented like that in the
> file)
> [global] # configurable identification include =
> /etc/samba/smb-names.conf
> # log stuff only to syslog logging = syslog at 0
> # we don't do printers show add printer wizard = No
> disable spoolss = Yes load printers = No printing =
> bsd printcap name = /dev/null
> # disable aio by default aio read size = 0 aio
> write size = 0
> # misc. invalid users = root unix extensions =
> No wide links = Yes use sendfile = Yes
> # ease upgrades from Samba 3.6 acl allow execute
> always = Yes # permit NTLMv1 authentication ntlm auth =
> Yes
> # hook for user-defined samba config include =
> /boot/config/smb-extra.conf
> # auto-configured shares include = /etc/samba/smb-
> shares.conf Contents of /etc/samba/smb-names.conf
> # Generated namesnetbios name = <UNRAIDHOSTNAME>server string =
> <Unraid Server Description>hide dot files = noserver multi channel
> support = nomulticast dns register = Nodisable netbios = Noserver min
> protocol = NT1local master = yesos level = 100security = ADSworkgroup
> = <SHORTDOMAINNAME>realm = <FQDOMAINNAME>null passwords = Yesidmap
> config * : backend = hashidmap config * : range = 10000-
> 4000000000winbind use default domain = Yesldap ssl = Nont acl support
> = Yesacl map full control = Yesacl group control = Yesinherit acls =
> Yesinherit permissions = Yesmap acl inherit = Yesdos filemode =
> Yesstore dos attributes = Yesmap archive = Nomap hidden = Nomap
> system = Nomap readonly = No
> Contents of /boot/config/smb-extra.conf (looks like any "extra
> configuration" from the Unraid Settings page just gets dumped in
> here, you can see the lines I added here):
> [global]idmap config * : backend = tdbidmap config * : range = 1000-
> 4000000000#unassigned_devices_start#Unassigned devices share
> includes include = /tmp/unassigned.devices/smb-
> settings.conf#unassigned_devices_end
> The file /tmp/unassigned.devices/smb-settings.conf is empty.
>
> Contents of /etc/samba/smb-shares.conf is just a list of Unraid
> shares that are exposed over SMB, for example;
> [LanCache] path = /mnt/user/LanCache comment = Cache
> for downloads from Steam, Origin, Epic, Frontier, Microsoft etc.
> browseable = yes case sensitive = auto preserve case
> = yes short preserve case = yes writeable = yes[MySQL]
> path = /mnt/user/MySQL comment = MySQL Database Backups
> browseable = yes case sensitive = auto preserve
> case = yes short preserve case = yes writeable =
> yesetc...
There are a lot of default settings and a few that I wouldn't set, but
nothing really drastic. However, the 'idmap config' are another thing.
The '*' is the default domain and is meant for the BUILTIN users &
groups and anything outside the main 'DOMAIN'.
The 'idmap config' lines are set like this:
first is this line:
include = /etc/samba/smb-names.conf
Which contains these lines:
idmap config * : backend = hash
idmap config * : range = 10000-4000000000
Lower down is this:
include = /boot/config/smb-extra.conf
Which contains these lines:
idmap config * : backend = tdb
idmap config * : range = 1000-4000000000
The latter will be used because the last version of a parameter wins.
The problem is that there are no 'DOMAIN' idmap config lines, I would
expect something like these:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config <SHORTDOMAINNAME> : backend = rid
idmap config <SHORTDOMAINNAME> : range = 10000-4000000000
The other problem is that there is no way to get the ID's that you
started with.
Rowland
More information about the samba
mailing list