Geoff Bland
2022-Jul-24 18:42 UTC
[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.
I have an UNRAID server, UNRAID allows shares with Samba via Windows AD access rights. I have recently upgraded to the latest UNRAID server version, 6.10.2 and now several of my Windows users cannot connect to any shares on UNRAID - most can however. I am not the only UNRAID user affected - the same issue has been reported several times on the UNRAID forum with users upgrading to the same version. Unfortunately none of us are Samba experts. We have had no solution to this yet but it was suggested that we should try asking on the Samba forums to see if anyone there has any idea. For my setup (other UNRAID users have different setups but the same issues) I have 2 Windows Server 2022 boxes running as domain controllers. Both also run DNS and DHCP. Both have static IP addresses. The UNRAID box has the 2 Windows Server for DNS and is "joined" to this domain. The syslog is continually spitting out this error ?Jul 15 21:58:49 UNRAID01 smbd[****]:???check_account: Failed to convert SID S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 to a UID (dom_user[DOMAIN\username)? for all users with the issue. I can do a "wbinfo -n" and that works OK but a "wbinfo -i" fails with WBC_ERR_DOMAIN_NOT_FOUND. root at UNRAID01:~# wbinfo -n "DOMAIN\\user" S-1-5-21- XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 SID_USER (1) root at UNRAID01:~# wbinfo -i " DOMAIN\\username" failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user DOMAIN\username As far as I can tell the Samba service is connected to the AD domain and the idmap mappings are set correctly, I think these are the relevant samba.conf settings and they all look correct to me(?): ntlm auth = Yesworkgroup = SHORTDOMAINNAMErealm = FQDOMAINNAMEidmap config * : backend = hashidmap config * : range = 10000-4000000000winbind use default domain = Yesldap ssl = Nont acl support = Yesacl map full control = Yesacl group control = Yesinherit acls = Yesinherit permissions = Yesmap acl inherit = Yesdos filemode = Yesstore dos attributes = Yes Samba in use is 4.15.7? root at UNRAID01:~# smbd -VVersion 4.15.7? Why are we getting this ?Failed to convert SID? error for some of our users? What should I investigate next?
Rowland Penny
2022-Jul-24 19:11 UTC
[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.
On Sun, 2022-07-24 at 18:42 +0000, Geoff Bland via samba wrote:> I have an UNRAID server, UNRAID allows shares with Samba via Windows > AD access rights. > > I have recently upgraded to the latest UNRAID server version, 6.10.2 > and now several of my Windows users cannot connect to any shares on > UNRAID - most can however. > > I am not the only UNRAID user affected - the same issue has been > reported several times on the UNRAID forum with users upgrading to > the same version. Unfortunately none of us are Samba experts. > > We have had no solution to this yet but it was suggested that we > should try asking on the Samba forums to see if anyone there has any > idea. > For my setup (other UNRAID users have different setups but the same > issues) I have 2 Windows Server 2022 boxes running as domain > controllers. Both also run DNS and DHCP. Both have static IP > addresses. The UNRAID box has the 2 Windows Server for DNS and is > "joined" to this domain. > The syslog is continually spitting out this error ?Jul 15 21:58:49 > UNRAID01 smbd[****]: check_account: Failed to convert SID S-1-5-21- > XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 to a UID (dom_user[DOMAIN\username)? > for all users with the issue. > > I can do a "wbinfo -n" and that works OK but a "wbinfo -i" fails with > WBC_ERR_DOMAIN_NOT_FOUND. > > root at UNRAID01:~# wbinfo -n "DOMAIN\\user" > > S-1-5-21- XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 SID_USER (1) > > root at UNRAID01:~# wbinfo -i " DOMAIN\\username" > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > Could not get info for user DOMAIN\username > > As far as I can tell the Samba service is connected to the AD domain > and the idmap mappings are set correctly, I think these are the > relevant samba.conf settings and they all look correct to me(?): > ntlm auth = Yes > workgroup = SHORTDOMAINNAME > realm = FQDOMAINNAME > idmap config * : backend = hashI take it that UNRAID creates the smb.conf and if they did, did they not read 'man idmap_hash' ? If they did, they would have found at the top: NAME idmap_hash - DO NOT USE THIS BACKEND And a little bit further down: DESCRIPTION DO NOT USE THIS PLUGIN Need I say more ? Rowland
Rowland Penny
2022-Jul-24 20:01 UTC
[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.
On Sun, 2022-07-24 at 18:42 +0000, Geoff Bland via samba wrote:> I have an UNRAID server, UNRAID allows shares with Samba via Windows > AD access rights. > > I have recently upgraded to the latest UNRAID server version, 6.10.2 > and now several of my Windows users cannot connect to any shares on > UNRAID - most can however. > > I am not the only UNRAID user affected - the same issue has been > reported several times on the UNRAID forum with users upgrading to > the same version. Unfortunately none of us are Samba experts. > > We have had no solution to this yet but it was suggested that we > should try asking on the Samba forums to see if anyone there has any > idea. > For my setup (other UNRAID users have different setups but the same > issues) I have 2 Windows Server 2022 boxes running as domain > controllers. Both also run DNS and DHCP. Both have static IP > addresses. The UNRAID box has the 2 Windows Server for DNS and is > "joined" to this domain. > The syslog is continually spitting out this error ?Jul 15 21:58:49 > UNRAID01 smbd[****]: check_account: Failed to convert SID S-1-5-21- > XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 to a UID (dom_user[DOMAIN\username)? > for all users with the issue. > > I can do a "wbinfo -n" and that works OK but a "wbinfo -i" fails with > WBC_ERR_DOMAIN_NOT_FOUND. > > root at UNRAID01:~# wbinfo -n "DOMAIN\\user" > > S-1-5-21- XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 SID_USER (1) > > root at UNRAID01:~# wbinfo -i " DOMAIN\\username" > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > Could not get info for user DOMAIN\username > > As far as I can tell the Samba service is connected to the AD domain > and the idmap mappings are set correctly, I think these are the > relevant samba.conf settings and they all look correct to me(?): > ntlm auth = Yesworkgroup = SHORTDOMAINNAMErealm = FQDOMAINNAMEidmap > config * : backend = hashidmap config * : range = 10000- > 4000000000winbind use default domain = Yesldap ssl = Nont acl support > = Yesacl map full control = Yesacl group control = Yesinherit acls > Yesinherit permissions = Yesmap acl inherit = Yesdos filemode > Yesstore dos attributes = Yes > > Samba in use is 4.15.7 > root at UNRAID01:~# smbd -VVersion 4.15.7 > Why are we getting this ?Failed to convert SID? error for some of our > users? What should I investigate next?The 'idmap config * : backend = hash' sort of jumped out at me, but now that I have had more time to decipher and examine the smb.conf, I have a few questions: Is the UNRAID machine supposed to be joined to the domain ? If not, then why not ? Also, if it isn't joined to the domain, why is Winbind running ? If winbind isn't running, why do you have the 'idmap config' lines ? If the machine is supposed to be joined to the domain, then that smb.conf is quite possibly the worst one I have ever seen. Rowland