[Samba] NT_STATUS_NONE_MAPPED in winbind logs

Rowland Penny rpenny at samba.org
Tue Oct 4 11:01:52 UTC 2022 


On 04/10/2022 11:11, mhbeyle--- via samba wrote:
> Hi, samba users ...
> 
> I have configured a samba installation (4.13) to act as a BDC in a 
> windows domain.

Samba 4.13.x is EOL as far as Samba is concerned and due to the numerous 
CVE's and the upgrade to Heimdal, I suggest you upgrade to 4.16.x if 
possible.
You do not have a BDC, that is something else entirely, you have an AD 
DC. You also didn't say what level the rest of the domain is.

  Everything works correctly: the different users login to
> the domain, access their files, permissions and roles are configured, etc.
> 
> However, when I access the /var/log/samba/ directory there is a file 
> called log.wb-[DOMAIN] with thousands of lines similar to the following:
> 
> [2022/09/30 13:46:20.964639, 3] 
> ../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid) sam_name_to_sid
> [2022/09/30 13:46:20.964646, 3] 
> ../../source3/winbindd/winbindd/winbindd_rpc.c:281(rpc_name_to_sid) 
> name_to_sid: [DOMAIN]\NOT for domain [DOMAIN].
> [2022/09/30 13:46:20.964803, 2] 
> ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid) name_to_sid: 
> failed to lookup name: NT_STATUS_NONE_MAPPED
> [2022/09/30 13:46:20.965021, 3] 
> ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid: 
> SID is not in a valid format
> [2022/09/30 13:46:26.187044, 3] 
> ../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid) sam_name_to_sid
> [2022/09/30 13:46:26.187050, 3] 
> ../../source3/winbindd/winbindd/winbindd_rpc.c:281(rpc_name_to_sid) 
> name_to_sid: [DOMAIN]\ROOT for domain [DOMAIN].
> [2022/09/30 13:46:26.187216, 2] 
> ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid) name_to_sid: 
> failed to lookup name: NT_STATUS_NONE_MAPPED
> [2022/09/30 13:46:26.187321, 3] 
> ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid: 
> SID is not in a valid format

They appear to be Unix users and as such will not have a SID, but 'root' 
should be mapped to 'Administrator' in idmap.ldb

> 
> [...]
> 
> The file weighs more than 100MB and I would like to know if there is 
> someone who can guide me about these warnings, because this has never 
> happened to me in a samba configuration and I would not like to transfer 
> this to production with serious configuration errors.
> 
> I paste below the [Global] configuration of smb.conf:
> 
> [global]
>      workgroup = [domain]
>      realm = [DOMAIN].LOCAL
>      netbios name = machine03-dm
>      server string = machine03-dm BDC
>      server role = dc
>      server role check:inhibit = yes
>      server services = -dns
>      server signing = auto
>      dsdb:schema update allowed = yes
>      ldap server require strong auth = no
>      drs:max object sync = 1200
> 
>      idmap_ldb:use rfc2307 = yes
> 
>      winbind enum users = yes
>      winbind enum groups = yes
>      template shell = /usr/bin/bash
>      template homedir = /home/%U
> 
>      rpc server dynamic port range = 49152-65535
> 
>      interfaces = lo,eth0,eth1
>      bind interfaces only = yes
> 
>      map to guest = Bad User
> 
>      log level = 3
>      log file = /var/log/samba/samba.log
>      max log size = 100000
> 
>      include = /etc/samba/shares.conf
> 

Is Zentyal involved here ? I ask this because you have numerous lines 
that you do not need and have only seen in a Zentyal DC smb.conf before, 
'server role check:inibit = yes' being one of them. You would only need 
this if you wanted to run 'nmbd' on a DC and you should never run 'nmbd' 
on a DC.

Rowland

More information about the samba mailing list