[Samba] Failed to convert SID to a UID
Robert Marcano
robert at marcanoonline.com
Mon Jun 12 12:53:41 UTC 2023
On 6/12/23 2:55 AM, Rowland Penny via samba wrote:
>
>
> On 12/06/2023 07:04, Christian Naumer via samba wrote:
>> Am Samstag, dem 10.06.2023 um 20:57 +0100 schrieb Rowland Penny via
>> samba:
>>>
>>>
>>> On 10/06/2023 20:37, Christian Naumer via samba wrote:
>>>> That might be the right direction. The standard kerb5.conf on
>>>> rhel/rocky breaks samba. At
>>>> least for us. That is why we always replace it with a custom one.
>>>
>>> It might be an idea if we could see your definition of the standard
>>> krb5.conf. I ask this because I have set up a Unix domain member on both
>>> Rocky Linux 8 and 9 with my idea of the standard krb5.conf and they both
>>> worked.
>>
>>
>> In Rocky 8 we have this as standard which we usually replace:
>>
>> # To opt out of the system crypto-policies configuration of krb5,
>> remove the
>> # symlink at /etc/krb5.conf.d/crypto-policies which will not be
>> recreated.
>> includedir /etc/krb5.conf.d/
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> dns_lookup_realm = false
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> rdns = false
>> pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
>> spake_preauth_groups = edwards25519
>> # default_realm = EXAMPLE.COM
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>> # EXAMPLE.COM = {
>> # kdc = kerberos.example.com
>> # admin_server = kerberos.example.com
>> # }
>>
>> [domain_realm]
>> # .example.com = EXAMPLE.COM
>> # example.com = EXAMPLE.COM
>>
>> I think it does not like the "crypto-policies" file in the includedir.
>> But I am unsure. Maybe
>> this is different now but it used to be a Problem.
>>
>> Here is what we replace it with:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = EXAMPLEREALM.COM
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> Regards
>>
>> Christian
>>
>>
>
> I used this /etc/krb5.conf on a machine called 'rocky9'
>
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM
> dns_lookup_kdc = false
> dns_lookup_realm = true
>
> [realms]
> SAMDOM.EXAMPLE.COM = {
> default_domain = samdom.example.com
> }
>
> [domain_realm]
> ROCKY9 = SAMDOM.EXAMPLE.COM
>
> I also did this:
>
> sudo rm /etc/krb5.conf.d/crypto-policies
>
> I ended up with a fully working Unix domain member using the 'rid' idmap
> backend.
>
> Rowland
>
There exist a way to setup crypto policies with support for old AD crypto.
RHEL 8 and derivative:
update-crypto-policies --set DEFAULT:AD-SUPPORT
RHEL 9 and derivative
update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
From: https://access.redhat.com/solutions/7004158
More information about the samba
mailing list