[Samba] string_to_sid: SID @www is not in a valid format

Rowland Penny rpenny at samba.org
Fri Jan 10 10:14:41 UTC 2025


On Thu, 9 Jan 2025 16:55:27 -0600
E R via samba <samba at lists.samba.org> wrote:

> While reviewing a single problem report about one of Samba servers I
> noticed these entries in the log files that are created by Samba.  I
> tend to think they are just informational and not a symptom of an
> issue in my setup which has not changed in many months.  But I found a
> few of posts here over the years with a similar message but no
> conclusive info on what they may mean or if action is needed.  Do
> others with a similar setup as mine see these messages in your logs?
> (The @www in my case is for a group that I use to control access to a
> www server, but I have other groups that also appear in the logs.
> Your group name would be different.  I populate the Linux group with
> AD account names for those who should have access and Winbind does its
> magic.)
> 
> The documentation for smb.conf's "valid users" indicates that when you
> use the @ sign it is interpreted as NIS netgroup first and then as
> UNIX group.  I am thinking this log entry MIGHT mean that it did not
> find an NIS group?
> 
> Source Reference from Error:
> … ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)

It might help if you post the log fragment around that error.
However, the reference to line 216 means you are running an older
version of Samba.

> 
> Line 216 in the dom_sid.c file appears to have a function that checks
> to see if the SID isdigit and when it is not, it calls the
> format_error function.  In my case the group name is "www" so that
> would not be a digit like most SIDs are.
> 
> format_error:
>         DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n",
> sidstr)); return false;
> 
> Share:
> [www]
>         comment = Samba share for www
>         create mask = 0664
>         directory mask = 0775
>         force user = www
>         path = /export/home/www/htdocs
>         read only = No
>         valid users = @www
>         write list = @www
> 

That is the 'old' way of doing things, you would be better off reading
this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Also if the path means what it possibly could i.e. you are sharing an
NFS mount, then I suggest you stop doing this, it really isn't a good
idea.

> Other tidbits:
> Security = ADS
> Backend is autorid
> Winbind used (sssd packages removed before installing Samba)
> 

Just posting the share isn't enough, it would help if we can see
'global' as well.

Rowland




More information about the samba mailing list