samba - Mar 2018 - failed to call wbcSidToUid

I have samba-4.6.2-12.el7_4.x86_64 which is connected to WIndows Active
Directory Server.

I configured samba with AD as below:

[global]
    workgroup = MYDOMAIN
    realm = MYDOMAIN.COM
    prefered master = No
    server string = servername
    security = ADS
    encrypt passwords = Yes
    log file = /var/log/samba/%I
    max log size = 50

    interfaces = bond0 lo
    bind interfaces only = Yes

    hosts allow = 10.32.0.0/16

    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = No
    winbind separator = +
    #winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind : ignore domains = FAKEDOMAIN

    template shell = /bin/falsen
    template homedir = /mnt/sambahomedir/%D/%U

    wide links = Yes
    follow symlinks = Yes
    unix extensions = No

    idmap config * : backend = tdb
    idmap config * : range = 10000-20000
    idmap config MYDOMAIN : unix_nss_info = No
    idmap config MYDOMAIN : backend = ad
    idmap config MYDOMAIN : schema_mode = rfc2307
    idmap config MYDOMAIN : range = 1000000-2000000

    server signing = auto
    client signing = auto

###############
When I use command wbinfo -u
I can see a list of all users in AD domain
MYDOMAIN+user1
MYDOMAIN+user2

When I execute
wbinfo -n user1 or
wbinfo -n DOMAIN+user
I get:
S-1-5-21-... SID_USER (1)

but when I execute
wbinfo -S SID
I get:
Could not convert sid S-1-5-21-... to uid

moreover when I try to chown the directory
chown "DOMAIN+user1" directory_path
I get:
chown: invalid user: 'DOMAIN+user1’

In the respectively configuration in samba samba-4.4.4-12.el7_3.x86_64
everything goes ok but configuration is without whole idmap config section.
Its oldfashion style.
I do not know mabye "backend = ad" is the problem of this
configuration.
But when I move configuration from the sama 4.4.4-12 server the problem
still exists.

On Mon, 5 Mar 2018 16:29:43 +0100
Marcin Kruk via samba <samba at lists.samba.org> wrote:
> I have samba-4.6.2-12.el7_4.x86_64 which is connected to WIndows
> Active Directory Server.
> 
> When I use command wbinfo -u
> I can see a list of all users in AD domain
> MYDOMAIN+user1
> MYDOMAIN+user2
At least this shows that winbind knows your AD users.
> 
> When I execute
> wbinfo -n user1 or
> wbinfo -n DOMAIN+user
> I get:
> S-1-5-21-... SID_USER (1)
> 
> but when I execute
> wbinfo -S SID
> I get:
> Could not convert sid S-1-5-21-... to uid
> 
> moreover when I try to chown the directory
> chown "DOMAIN+user1" directory_path
> I get:
> chown: invalid user: 'DOMAIN+user1’
Here we go with 1001th time of saying this ;-)

Just because wbinfo shows your users & groups, doesnt mean your OS
knows who they are.
> 
> In the respectively configuration in samba samba-4.4.4-12.el7_3.x86_64
> everything goes ok but configuration is without whole idmap config
> section. Its oldfashion style.
> I do not know mabye "backend = ad" is the problem of this
> configuration. But when I move configuration from the sama 4.4.4-12
> server the problem still exists.
It probably is the 'ad' backend, do your users have a
'uidNumber'
attribute in AD and does 'Domain Users' have a 'gidNumber'
attribute ?
These numbers will need to be inside the '1000000-2000000' range you
have set in smb.conf.

Rowland

I do not know if there is a uidNumber in Active Directory, I am not an
administrator of Microsoft AD.
So you claimed that I need add an extra parameters uidNumber and gidNumber
to the MS Active Directory user, and add an extra value to each of them?
I think that It will be impossible and too much extra work.
I need similiar funcionality than it was in the previous version.
So mabye I shoud change the backend parameter (tdb/ad/rid/autorid/ldap/nss)?


2018-03-05 16:53 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Mon, 5 Mar 2018 16:29:43 +0100
> Marcin Kruk via samba <samba at lists.samba.org> wrote:
>
> > I have samba-4.6.2-12.el7_4.x86_64 which is connected to WIndows
> > Active Directory Server.
> >
> > When I use command wbinfo -u
> > I can see a list of all users in AD domain
> > MYDOMAIN+user1
> > MYDOMAIN+user2
>
> At least this shows that winbind knows your AD users.
>
> >
> > When I execute
> > wbinfo -n user1 or
> > wbinfo -n DOMAIN+user
> > I get:
> > S-1-5-21-... SID_USER (1)
> >
> > but when I execute
> > wbinfo -S SID
> > I get:
> > Could not convert sid S-1-5-21-... to uid
> >
> > moreover when I try to chown the directory
> > chown "DOMAIN+user1" directory_path
> > I get:
> > chown: invalid user: 'DOMAIN+user1’
>
> Here we go with 1001th time of saying this ;-)
>
> Just because wbinfo shows your users & groups, doesnt mean your OS
> knows who they are.
>
> >
> > In the respectively configuration in samba samba-4.4.4-12.el7_3.x86_64
> > everything goes ok but configuration is without whole idmap config
> > section. Its oldfashion style.
> > I do not know mabye "backend = ad" is the problem of this
> > configuration. But when I move configuration from the sama 4.4.4-12
> > server the problem still exists.
>
> It probably is the 'ad' backend, do your users have a
'uidNumber'
> attribute in AD and does 'Domain Users' have a 'gidNumber'
attribute ?
> These numbers will need to be inside the '1000000-2000000' range
you
> have set in smb.conf.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>