[Samba] NT_STATUS_NONE_MAPPED in winbind logs
mhbeyle at gmail.com
mhbeyle at gmail.com
Tue Oct 4 13:05:56 UTC 2022
Rowland Penny rpenny at samba.org
Tue Oct 4 11:01:52 UTC 2022> Hi, samba users ...
> > Hi, samba users ...
> >
> > I have configured a samba installation (4.13) to act as a BDC in a
> > windows domain.
>
> Samba 4.13.x is EOL as far as Samba is concerned and due to the numerous
> CVE's and the upgrade to Heimdal, I suggest you upgrade to 4.16.x if
> possible.
> You do not have a BDC, that is something else entirely, you have an AD
> DC. You also didn't say what level the rest of the domain is.
Sorry for my bad explanation.
I am referring to a BDC (Backup domain controller). In the domain there
is already a PDC (Primary domain controller) working and what I want now
is to add a secondary domain controller.
>
> Everything works correctly: the different users login to
> > the domain, access their files, permissions and roles are
> configured, etc.
> >
> > However, when I access the /var/log/samba/ directory there is a file
> > called log.wb-[DOMAIN] with thousands of lines similar to the following:
> >
> > [2022/09/30 13:46:20.964639, 3]
> > ../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid)
> sam_name_to_sid
> > [2022/09/30 13:46:20.964646, 3]
> > ../../source3/winbindd/winbindd/winbindd_rpc.c:281(rpc_name_to_sid)
> > name_to_sid: [DOMAIN]\NOT for domain [DOMAIN].
> > [2022/09/30 13:46:20.964803, 2]
> > ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid) name_to_sid:
> > failed to lookup name: NT_STATUS_NONE_MAPPED
> > [2022/09/30 13:46:20.965021, 3]
> > ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid:
> > SID is not in a valid format
> > [2022/09/30 13:46:26.187044, 3]
> > ../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid)
> sam_name_to_sid
> > [2022/09/30 13:46:26.187050, 3]
> > ../../source3/winbindd/winbindd/winbindd_rpc.c:281(rpc_name_to_sid)
> > name_to_sid: [DOMAIN]\ROOT for domain [DOMAIN].
> > [2022/09/30 13:46:26.187216, 2]
> > ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid) name_to_sid:
> > failed to lookup name: NT_STATUS_NONE_MAPPED
> > [2022/09/30 13:46:26.187321, 3]
> > ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid:
> > SID is not in a valid format
>
> They appear to be Unix users and as such will not have a SID, but 'root'
> should be mapped to 'Administrator' in idmap.ldb
I have no idea what these lines mean and how I can find out which UNIX
users do not have SIDs and are causing this error.
The log lines often refer to shared directories.
What is "SID is not in a valid format" and "failed to lookup name"?
I attach more logs here ...
[2022/09/30 14:24:36.536435, 2]
../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid)
name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
[2022/09/30 14:24:36.536685, 3]
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
string_to_sid: SID is not in a valid format
[2022/09/30 14:24:36.536696, 3]
../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid)
sam_name_to_sid
[2022/09/30 14:24:36.536703, 3]
../../source3/winbindd/winbindd_rpc.c:281(rpc_name_to_sid)
name_to_sid: [DOMAIN]\[DIRECTORY
NAME]|/HOME/SAMBA/SHARES/SDATA/[DIRECTORY NAME] for domain DOMMOSAN
[2022/09/30 14:24:36.536863, 2]
../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid)
name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
[2022/09/30 14:24:36.537081, 3]
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
string_to_sid: SID is not in a valid format
[2022/09/30 14:24:36.537092, 3]
../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid)
sam_name_to_sid
[2022/09/30 14:24:36.537099, 3]
../../source3/winbindd/winbindd_rpc.c:281(rpc_name_to_sid)
name_to_sid: [DOMAIN]\[DIRECTORY NAME] for domain DOMMOSAN
[2022/09/30 14:24:36.537257, 2]
../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid)
name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
[2022/09/30 14:24:36.537471, 3]
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
string_to_sid: SID is not in a valid format
[2022/09/30 14:24:36.537482, 3]
../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid)
sam_name_to_sid
>
> >
> > [...]
> >
> > The file weighs more than 100MB and I would like to know if there is
> > someone who can guide me about these warnings, because this has never
> > happened to me in a samba configuration and I would not like to transfer
> > this to production with serious configuration errors.
> >
> > I paste below the [Global] configuration of smb.conf:
> >
> > [global]
> > workgroup = [domain]
> > realm = [DOMAIN].LOCAL
> > netbios name = machine03-dm
> > server string = machine03-dm BDC
> > server role = dc
> > server role check:inhibit = yes
> > server services = -dns
> > server signing = auto
> > dsdb:schema update allowed = yes
> > ldap server require strong auth = no
> > drs:max object sync = 1200
> >
> > idmap_ldb:use rfc2307 = yes
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> > template shell = /usr/bin/bash
> > template homedir = /home/%U
> >
> > rpc server dynamic port range = 49152-65535
> >
> > interfaces = lo,eth0,eth1
> > bind interfaces only = yes
> >
> > map to guest = Bad User
> >
> > log level = 3
> > log file = /var/log/samba/samba.log
> > max log size = 100000
> >
> > include = /etc/samba/shares.conf
> >
>
> Is Zentyal involved here ? I ask this because you have numerous lines
> that you do not need and have only seen in a Zentyal DC smb.conf before,
> 'server role check:inibit = yes' being one of them. You would only need
> this if you wanted to run 'nmbd' on a DC and you should never run 'nmbd'
> on a DC.
>
> Rowland
In fact, I have configured the BDC server with Zentyal.
However, I have other identical servers that do not give this problem
with the logs.
As I said before, everything in the domain works correctly. The BDC
works fine if I disconnect the PDC: the users are able to login, access
the shared resources and so on.
------------------------------------------------------
MhBeyle __
More information about the samba
mailing list