samba - Dec 2021 - check_account: Failed to convert SID messages in a log

Hello,
  after installation of security update in debian buster (samba 4.9.5) I
see in a log file messages like

 smbd[13923]:   check_account: Failed to convert SID
S-1-5-21-654011520-1046832706-1751360447-1143 to a UID
(dom_user[INTERSTAT\is48$])

 The messages are logged in domain member that acts as a file server in AD.
SID belongs to client computer that connects to the file server, it seems
like samba wants uidNumber also for SID of domain computers. Of course
uidNumber are setup for all domain users.

 Content of smbd.conf in domain member is ...

[global]
        netbios name = SRV2
        realm = AD.INTERSTAT.CZ
        server role = member server
        workgroup = INTERSTAT
        idmap_ldb:use rfc2307 = yes

        username map = /etc/samba/user.map

        printing = CUPS
        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork
        spoolss: architecture = Windows x64

        security = ADS

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config INTERSTAT:backend = ad
        idmap config INTERSTAT:schema_mode = rfc2307
        idmap config INTERSTAT:range = 10000-999999
        idmap config INTERSTAT:unix_nss_info = yes

        map acl inherit = yes
        store dos attributes = yes


        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

        acl allow execute always = yes

        #minumum uid that can be mapped to domain user, should be 0 to map
domain administrator
        min domain uid = 0


Best regards,
Jan

On Fri, 2021-12-10 at 16:56 +0100, Jan Gregor via samba
wrote:
> Hello,
>   after installation of security update in debian buster (samba
> 4.9.5) I
> see in a log file messages like
> 
>  smbd[13923]:   check_account: Failed to convert SID
> S-1-5-21-654011520-1046832706-1751360447-1143 to a UID
> (dom_user[INTERSTAT\is48$])
> 
>  The messages are logged in domain member that acts as a file server
> in AD.
> SID belongs to client computer that connects to the file server, it
> seems
> like samba wants uidNumber also for SID of domain computers. Of
> course
> uidNumber are setup for all domain users.
It is just telling you that it cannot convert a computer SID to a UID,
probably because the computer does not have a uidNumber attribute.
A computer object is very similar to a user object, mainly one more
objectclass (objectclass: computer) and the primaryGroupID is '515'
instead of '513'
> 
>  Content of smbd.conf in domain member is ...
> 
> [global]
>         netbios name = SRV2
>         realm = AD.INTERSTAT.CZ
>         server role = member server
>         workgroup = INTERSTAT
>         idmap_ldb:use rfc2307 = yes
You only use that line on a DC
> 
>         username map = /etc/samba/user.map
> 
>         printing = CUPS
>         rpc_server:spoolss = external
>         rpc_daemon:spoolssd = fork
>         spoolss: architecture = Windows x64
> 
>         security = ADS
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
> 
>         idmap config INTERSTAT:backend = ad
>         idmap config INTERSTAT:schema_mode = rfc2307
>         idmap config INTERSTAT:range = 10000-999999
>         idmap config INTERSTAT:unix_nss_info = yes
> 
>         map acl inherit = yes
>         store dos attributes = yes
> 
> 
>         winbind enum users = yes
>         winbind enum groups = yes
I would turn those lines off, they really only slow things down.
>         winbind use default domain = yes
> 
>         acl allow execute always = yes
> 
>         #minumum uid that can be mapped to domain user, should be 0
> to map
> domain administrator
>         min domain uid = 0
You do not seem to have 'vfs objects = acl_xattr' set

Rowland

On Fri, 2021-12-10 at 16:56 +0100, Jan Gregor via samba
wrote:
> Hello,
>   after installation of security update in debian buster (samba
> 4.9.5) I
> see in a log file messages like
> 
>  smbd[13923]:   check_account: Failed to convert SID
> S-1-5-21-654011520-1046832706-1751360447-1143 to a UID
> (dom_user[INTERSTAT\is48$])
> 
>  The messages are logged in domain member that acts as a file server
> in AD.
> SID belongs to client computer that connects to the file server, it
> seems
> like samba wants uidNumber also for SID of domain computers. Of
> course
> uidNumber are setup for all domain users.
Computers, particularly those running Virus Scanners need to access
file servers.  The security update changed the name resolution order,
and if you were not running nss_winbindd previously or did not have a
valid ID mapping for these computer accounts (needed for nss_winbind to
provide an entry for the computer) then the errors would have changed
from a 'no such user' to this. 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Hai, 

Few days ago i upgraded my main file server to 4.15.3 and got flooded
with these messages,  Failed to convert SID on computer accounts, 
which made my monitoring server getting overloaded.

Now, everythink still works, i tested thats but i see so much messsages
I had to revert the update, so for now this server is back to 4.14.10. 

And yes, i have nss_winbind running due NFS i use. 

I've looked at 
https://bugzilla.samba.org/show_bug.cgi?id=14901 and
https://bugzilla.samba.org/show_bug.cgi?id=14922

Tried the perl script, that didnt work. 

Its more cosmetic this one, but the amount of log messages i get is 
just to much. (over 100k messages in hours) this also causes high CPU load
on the server.

So im wondering what's the best action here. 
> The security update changed the name resolution order,
> and if you were not running nss_winbindd previously or did not have a
> valid ID mapping for these computer accounts (needed for 
> nss_winbind to provide an entry for the computer) 
> then the errors would have changed from a 'no such user' to this. 
I see this only in 4.15.3 and not in 4.14.10, is this correct? 

Looked as some workarounds but i can't see whats best action currently. 
and sorry, my head is not working with me, stuff happend here.. 


So far, 

Greetz, 

Louis