[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.

[Rowland Penny]

On Wed, 2022-07-27 at 21:37 +0000, Geoff Bland via samba wrote:
> Thanks. I have set up Samba as you have detailed on Unraid and all
> now seems to be working. All existing access rights got messed up as
> expected and so I had to re-apply all those. With your advice and a
> lot of reading up on this - all seems good now. All details also
> posted as an issue on the Unraid bug report forum so hopefully it
> will now also be fixed at source.  Once again thanks for your help.

Just a slight update on this to try and explain how the 'rid' idmap
backend works.

All Domain users, groups and computers have a SID. The last part of the
'SID' is called the 'RID' and these are all unique and are set when the
object is created and normal users etc usually start at 1000 (though
this will be different depending on which DC they are created on).
You cannot rely on the RID to identify what the object is, '1000' could
be a user, '1001' could be a group, but, if that is the case, there
will never be a user with the RID '1001'. To put it another way, RID's
are issued consecutively to the next object, no matter what it is.

Now you know how Windows issues ID's, how does Samba map them to Unix
users and groups ?
This can be done by winbind and the 'rid' idmap backend (there are
other backends). If you do use the 'rid' idmap backend, it uses this
formula:

ID = RID + LOW_RANGE_ID

'ID' is the required Unix ID
'RID' is the Windows user or group ID
'LOW_RANGE_ID' is the number set in smb.conf (which is '10000' in the
example I supplied).
So, if the RID was '1000', the calculation would become:

ID = 1000 + 10000

So the 'ID' is '11000' and always will be, even on other Samba
fileservers, provided you use the same basic smb.conf
    
Rowland