[Samba] NT_STATUS_NONE_MAPPED in winbind logs

mhbeyle at gmail.com mhbeyle at gmail.com
Tue Oct 4 16:02:57 UTC 2022 

*Rowland Penny* rpenny at samba.org 
<mailto:samba%40lists.samba.org?Subject=Re%3A%20%5BSamba%5D%20NT_STATUS_NONE_MAPPED%20in%20winbind%20logs&In-Reply-To=%3C069a99c5-5f54-85ba-e7b3-b44db3555128%40samba.org%3E>
/Tue Oct 4 14:53:53 UTC 2022/
> On 04/10/2022 14:05,mhbeyle at gmail.com  <https://lists.samba.org/mailman/listinfo/samba>  wrote:
> >/Rowland Penny rpenny at samba.org />/Tue Oct 4 11:01:52 UTC 2022> Hi, samba users ... />//>>/> Hi, samba users ... />>/> />>/> I have configured a samba installation (4.13) to act as a BDC in a />>/> windows domain. />>//>>/Samba 4.13.x is EOL as far as Samba is concerned and due to the numerous />>/CVE's and the upgrade to Heimdal, I suggest you upgrade to 4.16.x if />>/possible. />>/You do not have a BDC, that is something else entirely, you have an AD />>/DC. You also didn't say what level the rest of the domain is. />/Sorry for my bad explanation. />/I am referring to a BDC (Backup domain controller). In the domain there />/is already a PDC (Primary domain controller) working and what I want now />/is to add a secondary domain controller. />>//>>/  Everything works correctly: the different users login to />>/> the domain, access their files, permissions and roles are />>/configured, etc. />>/> />>/> However, when I access the /var/log/samba/ directory there is a file />>/> called log.wb-[DOMAIN] with thousands of lines similar to the />>/following: />>/> />>/> [2022/09/30 13:46:20.964639, 3] />>/> ../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid) />>/sam_name_to_sid />>/> [2022/09/30 13:46:20.964646, 3] />>/> ../../source3/winbindd/winbindd/winbindd_rpc.c:281(rpc_name_to_sid) />>/> name_to_sid: [DOMAIN]\NOT for domain [DOMAIN]. />>/> [2022/09/30 13:46:20.964803, 2] />>/> ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid) 
> name_to_sid: />>/> failed to lookup name: NT_STATUS_NONE_MAPPED />>/> [2022/09/30 13:46:20.965021, 3] />>/> ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid: />>/> SID is not in a valid format />>/> [2022/09/30 13:46:26.187044, 3] />>/> ../../source3/winbindd/winbindd_samr.c:597(sam_name_to_sid) />>/sam_name_to_sid />>/> [2022/09/30 13:46:26.187050, 3] />>/> ../../source3/winbindd/winbindd/winbindd_rpc.c:281(rpc_name_to_sid) />>/> name_to_sid: [DOMAIN]\ROOT for domain [DOMAIN]. />>/> [2022/09/30 13:46:26.187216, 2] />>/> ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid) 
> name_to_sid: />>/> failed to lookup name: NT_STATUS_NONE_MAPPED />>/> [2022/09/30 13:46:26.187321, 3] />>/> ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) string_to_sid: />>/> SID is not in a valid format />>//>>/They appear to be Unix users and as such will not have a SID, but 'root' />>/should be mapped to 'Administrator' in idmap.ldb />//>/I have no idea what these lines mean and how I can find out which UNIX />/users do not have SIDs and are causing this error. />/The log lines often refer to shared directories. />//>/What is "SID is not in a valid format" and "failed to lookup name"? /
> No Unix user (those in /etc/passwd) will have a SID, only Windows or
> Samba users will have a SID.
so what is the problem reflected in these logs?
//
> >>//>>/Is Zentyal involved here ? I ask this because you have numerous lines />>/that you do not need and have only seen in a Zentyal DC smb.conf before, />>/'server role check:inibit = yes' being one of them. You would only need />>/this if you wanted to run 'nmbd' on a DC and you should never run 'nmbd' />>/on a DC. />>//>>/Rowland />//>/In fact, I have configured the BDC server with Zentyal. /
> I will say this again, but louder, THIS IS NOT A BDC!
>
> It is just another AD DC and all AD DC's are equal except for the FSMO
> roles and they can be on any AD DC.
>
> >/However, I have other identical servers that do not give this problem />/with the logs. /
> If you have other identical DC's that do not have this problem, then I
> suggest you compare a known 'good' one with your 'bad' one, it is
> possible there is a difference.
>
> >/As I said before, everything in the domain works correctly. The BDC />/works fine if I disconnect the PDC: the users are able to login, access />/the shared resources and so on. /
> Will you please stop using terms that refer to NT4-style domains, they
> could confuse someone searching for a similar problem in the future. You
> may think this is being petty, but it does matter.
>
> You still haven't told us what version the Windows DC's are running.
>
> Rowland
Forgive my lack of knowledge. From now on I will use the term AD DC. I 
am not used to write in this list and there are terms that I confuse easily.

The domain topology that is set up consists of an old server with samba 
(4.3.4) to which another server with samba (4.13) has been added. Role 
transfer has been done between the old server and the new server with 
the ultimate goal of shutting down the old server. The only difference 
between the old server and the new server is the samba version and it 
may have been possible to make a mistake when transferring the different 
roles, I don't know. Is there any way to compare configurations? 
Everything works correctly except for those warnings in the log file.

Sorry again for misusing different terms. When I refer to "windows 
domain", I mean a domain with "Active Directory" where computers with 
different versions of windows (W7, W10, etc.) are connected. There is no 
Microsoft Windows DC in the domain. Only DCs with samba are running in 
the domain.

Thanks for everything.

------------------------------------------------------
MhBeyle __

More information about the samba mailing list