[Samba] R: R: check_account: Failed to convert SID S-1-5-21-822543001-694776171-4236178688-132794 to a UID

Rowland Penny rpenny at samba.org
Mon Feb 27 12:26:18 UTC 2023

On 27/02/2023 12:01, Corrado Ravinetto via samba wrote:
> Sorry Rowland, if i adopt this
>> default '*' range well above that, say '2000000-2002000'.
> What do you mean with :
>> You will still be unable to have any local Unix users (the ones in /etc/passwd), so you will have to enable root.
> And how can i enable root ??

If you run Samba as a Unix domain member (security = ADS), then all AD 
users are potential Unix users 1.e. getent passwd ADusername will 
produce output.

You are using the 'ad' idmap backend, so this limits the Unix users to 
the ones that you give a uidNumber attribute to. You have to also ensure 
that the users uidNumber attribute contains a unique number inside the 
range set in smb.conf (in your case '500-999999') and that Domain Users 
has a gidNumber attribute containing a number inside the same range.

Do you understand this so far ?

Now, you normally cannot have any users in AD with the same name as a 
user in /etc/passwd, but in your case, you cannot have any users in 
/etc/passwd because Unix user ID's normally start at 1000 and go up to 
65534. Your AD range '500-999999' contains the Unix range and ranges 
cannot overlap. This means that if you have a local Unix user called 
'user1' with the Unix ID '1000' and an AD user called 'user2' with the 
uidNumber '1000', how do you tell which is which ? Unix will see it as 
'user1' and Samba will see it as 'user2'.

Now do you see why you cannot have local Unix users ?

As for how to enable root, most distros now rely on sudo to gain root 
privileges, this cannot happen if you do not have any local Unix users 
(think major problem with AD), so you will have to enable root by giving 
root a password (which might be easier said than done).


More information about the samba mailing list