[Samba] FW: Cannot access domain member from trusted domain user

Stephen Brandli steve at brandli.com
Mon Feb 17 03:09:45 UTC 2025 

More: users on the BRANDLILAW domain can access the share, but it's incredibly slow.  In addition, smbd logs these errors repeatedly:

Feb 16 18:49:06 roberts smbd[136]:   check_account: Failed to convert SID S-1-5-21-2136821272-1111453333-1140905514-1601 to a UID (dom_user[BRANDLILAW\admin-fh$])
Feb 16 18:49:06 roberts smbd[136]: [2025/02/16 18:49:06.365450,  0] source3/auth/auth_util.c:1945(check_account)

admin-fh is a machine name, not a user name.

	Steve

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Stephen Brandli via samba
Sent: Sunday, February 16, 2025 4:18 PM
To: Stephen Brandli via samba <samba at lists.samba.org>
Subject: [Samba] Cannot access domain member from trusted domain user

I'm not able to access a samba file server that I recently created and joined to a domain.  I have two domains with an external trust: BRANDLILAW and BRANDLI.  The server is joined to BRANDLILAW.  I am trying to access it from a user on the BRANDLI domain.  This worked with the prior server that the new server is replacing.  All domain controllers and the server are Debian backports (21.3).  The user can access a Windows 10 machine also joined to the BRANDLILAW domain, and can also access a samba file server on the BRANDLI domain.  "samba-tool domain trust validate" works correctly in both directions.

How do I debug this?  I would appreciate any pointers.

Log entries include:

smbd:
Feb 16 16:02:50 roberts smbd[514]:   check_account: Failed to convert SID S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID (dom_user[BRANDLI\steve])
Feb 16 16:02:52 roberts smbd[514]: [2025/02/16 16:02:52.332273,  0] source3/auth/auth_util.c:1945(check_account)

winbind:
[2025/02/16 15:59:21.834790,  1, traceid=1674] source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103: NT_STATUS_NO_SUCH_DOMAIN
[2025/02/16 15:59:21.834852,  1, traceid=1674] source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid)
  wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN.
[2025/02/16 15:59:21.834875,  1, traceid=1674] source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc)
  Failed with NT_STATUS_NO_SUCH_DOMAIN.

I am also getting the error that secrets.ldb does not exist.  But the samba file server on the BRANDLI domain is getting those errors, and I can access that.
smb.conf:

[global]
security = ads
workgroup = BRANDLILAW
realm = DOMAIN.BRANDLILAW.COM

log file = /var/log/samba/roberts.log
log level = 1

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config BRANDLI:backend = ad
idmap config BRANDLI:schema_mode = rfc2307 idmap config BRANDLI:range = 1000-1499 idmap config BRANDLI:unix_nss_info = no idmap config BRANDLI:unix_primary_group = yes

idmap config BRANDLILAW:backend = ad
idmap config BRANDLILAW:schema_mode = rfc2307 idmap config BRANDLILAW:range = 1500-1999 idmap config BRANDLILAW:unix_nss_info = no idmap config BRANDLILAW:unix_primary_group = yes

[Docs]
path = /home/shares/docs
writeable = yes
valid users = steve bj tabitha kim erin
force user = steve
force group = steve
force create mode = 770

The relevant passwd entry on the file server:
steve:x:1000:1000:,,,:/home/steve:/bin/bash

samba-tool user show steve:

dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Steve SAB. Brandli
sn: Brandli
givenName: Steve
initials: SAB.
instanceType: 4
whenCreated: 20201005011138.0Z
displayName: Steve Brandli
uSNCreated: 5433
name: Steve SAB. Brandli
objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0
userAccountControl: 66048
codePage: 0
countryCode: 0
pwdLastSet: 132970435361910940
primaryGroupID: 513
objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103
accountExpires: 0
sAMAccountName: steve
sAMAccountType: 805306368
userPrincipalName: steve at domain.brandli.com<mailto:steve at domain.brandli.com>
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com
uidNumber: 1000
gidNumber: 1000
memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=brandli,DC=com
whenChanged: 20250210010316.0Z
uSNChanged: 5640
lastLogonTimestamp: 133836229965179730
lastLogon: 133841460882236080
logonCount: 42
distinguishedName: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list