Rowland Penny
2021-Nov-07 14:22 UTC
[Samba] Samba DC: Unable to convert first SID / NT_STATUS_INVALID_SID
On Sun, 2021-11-07 at 14:04 +0000, Gyrfalcon via samba wrote:> On Sunday, November 7th, 2021 at 3:50 AM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > > On Sun, 2021-11-07 at 04:31 +0000, Gyrfalcon via samba wrote: > > > > > I recently added a second domain controller to my environment, > > > > > > running Samba 4.14.18 (Fedora 34). I have had a single domain > > > > > > controller running Samba 4.9.4 (Fedora 29) for a few years, and > > > it > > > > > > has been working quite well. > > > > Are you using the standard Fedora Samba packages ? > > If so, are you aware that, because they use MIT kerberos, they are > > marked as experimental ? > > Yes. Do you think that's relevant? Kerberos works fine.It might be relevant, numerous things are know to not work correctly. I would not use the fedora packages in production. You say this is being caused by a Unix domain member, so can we see the smb.conf from this ? Rowland
Gyrfalcon
2021-Nov-07 14:45 UTC
[Samba] Samba DC: Unable to convert first SID / NT_STATUS_INVALID_SID
On Sunday, November 7th, 2021 at 8:22 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:> You say this is being caused by a Unix domain member, so can we see the > smb.conf from this ?It happens to all of my member servers. They are all configured the same though: ``` [global] workgroup = PYROCUFFLINK realm = PYROCUFFLINK.BLUE security = ads printing = bsd printcap name = /dev/null load printers = no guest account = nobody map to guest = Bad User template homedir = /home/%U template shell = /bin/bash idmap config * : backend = tdb idmap config * : range = 1000000-1000999 idmap config PYROCUFFLINK : backend = ad idmap config PYROCUFFLINK : range = 3000000-3009999 idmap config PYROCUFFLINK : unix_nss_info = yes kerberos method = secrets and keytab winbind nss info = rfc2307 winbind use default domain = yes winbind offline logon = yes winbind refresh tickets = no client ldap sasl wrapping = seal dns proxy = no domain master = no local master = no preferred master = no os level = 0 ``` Using the `ad` idmap backend, so all the user and group accounts that need to log in to these machines have uidNumber/gidNumber attributes, including Domain Users group.