[Samba] R: R: check_account: Failed to convert SID S-1-5-21-822543001-694776171-4236178688-132794 to a UID
rpenny at samba.org
Mon Feb 27 12:26:18 UTC 2023
On 27/02/2023 12:01, Corrado Ravinetto via samba wrote:
> Sorry Rowland, if i adopt this
>> default '*' range well above that, say '2000000-2002000'.
> What do you mean with :
>> You will still be unable to have any local Unix users (the ones in /etc/passwd), so you will have to enable root.
> And how can i enable root ??
If you run Samba as a Unix domain member (security = ADS), then all AD
users are potential Unix users 1.e. getent passwd ADusername will
You are using the 'ad' idmap backend, so this limits the Unix users to
the ones that you give a uidNumber attribute to. You have to also ensure
that the users uidNumber attribute contains a unique number inside the
range set in smb.conf (in your case '500-999999') and that Domain Users
has a gidNumber attribute containing a number inside the same range.
Do you understand this so far ?
Now, you normally cannot have any users in AD with the same name as a
user in /etc/passwd, but in your case, you cannot have any users in
/etc/passwd because Unix user ID's normally start at 1000 and go up to
65534. Your AD range '500-999999' contains the Unix range and ranges
cannot overlap. This means that if you have a local Unix user called
'user1' with the Unix ID '1000' and an AD user called 'user2' with the
uidNumber '1000', how do you tell which is which ? Unix will see it as
'user1' and Samba will see it as 'user2'.
Now do you see why you cannot have local Unix users ?
As for how to enable root, most distros now rely on sudo to gain root
privileges, this cannot happen if you do not have any local Unix users
(think major problem with AD), so you will have to enable root by giving
root a password (which might be easier said than done).
More information about the samba