Geoff Bland
2022-Jul-24 21:36 UTC
[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.
Firstly, thanks for the quick reply.?>Is the UNRAID machine supposed to be joined to the domain ?Yes, it is meant to be joined to the domain - although I am not 100% what "joined" means in terms of UNRAID.?I can see the server exists in the AD domain machines (and also DNS & DHCP obviously) and the account used to connect to the domain "unraid" is a valid AD user account with Domain Admin access. >If the machine is supposed to be joined to the domain, then that smb.conf is quite possibly the worst one I have ever seen.Please bear in mind that there is more in the smb.conf file - I just extracted what I thought were the only relevant lines for this issue. >I take it that UNRAID creates the smb.conf and if they did, did they not read 'man idmap_hash' ? If they did, they would have found at the top: DO NOT USE THIS PLUGINYes, the smb.conf is created by UNRAID. Configuration of UNRAID is by its web pages so in theory users don?t get their hands dirty with .conf files. Although there is some scope to add extra SMB settings via the web page there?s no documentation I can find on this in the UNRAID documents. I had seen the following warnings in the syslog as well ?Jul 24 21:02:06 UNRAID01 winbindd[4248]:? ?idmap_hash_initialize: The idmap_hash module is deprecated and should not be used. Please migrate to a different plugin. This module will be removed in a future version of Samba?. But I am no expert on Samba took this to mean this was deprecated ? so although not good at least worked for now ? so discounted this as the problem. But given what you have said I have changed the config now to? idmap config * : backend = tdbidmap config * : range = 1000-4000000000?via the ?Extra SMB Settings? on UNRAID settings.? I then I restarted the UNRAID server (restarting just the Samba service did not seem to work). Now I can log onto the UNRAID share and see the mounts. However now checking further it appears that all the access rights to all files and directories on the shares are now all messed up and will need correcting.? But at least now I can log in. So thanks for your help.
Rowland Penny
2022-Jul-25 06:46 UTC
[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.
On Sun, 2022-07-24 at 21:36 +0000, Geoff Bland via samba wrote:> Firstly, thanks for the quick reply. > > Is the UNRAID machine supposed to be joined to the domain ?Yes, it > > is meant to be joined to the domain - although I am not 100% what > > "joined" means in terms of UNRAID. I can see the server exists in > > the AD domain machines (and also DNS & DHCP obviously) and the > > account used to connect to the domain "unraid" is a valid AD user > > account with Domain Admin access. > > If the machine is supposed to be joined to the domain, then that > > smb.conf is quite possibly the worst one I have ever seen.Please > > bear in mind that there is more in the smb.conf file - I just > > extracted what I thought were the only relevant lines for this > > issue. > > I take it that UNRAID creates the smb.conf and if they did, did > > they not read 'man idmap_hash' ? If they did, they would have found > > at the top: DO NOT USE THIS PLUGIN > Yes, the smb.conf is created by UNRAID. Configuration of UNRAID is by > its web pages so in theory users don?t get their hands dirty with > .conf files. Although there is some scope to add extra SMB settings > via the web page there?s no documentation I can find on this in the > UNRAID documents. > I had seen the following warnings in the syslog as well ?Jul 24 > 21:02:06 UNRAID01 winbindd[4248]: idmap_hash_initialize: The > idmap_hash module is deprecated and should not be used. Please > migrate to a different plugin. This module will be removed in a > future version of Samba?. But I am no expert on Samba took this to > mean this was deprecated ? so although not good at least worked for > now ? so discounted this as the problem. > But given what you have said I have changed the config now to > idmap config * : backend = tdbidmap config * : range = 1000- > 4000000000 via the ?Extra SMB Settings? on UNRAID settings. > I then I restarted the UNRAID server (restarting just the Samba > service did not seem to work). Now I can log onto the UNRAID share > and see the mounts. > However now checking further it appears that all the access rights to > all files and directories on the shares are now all messed up and > will need correcting. > But at least now I can log in. So thanks for your help.The idmap 'hash' backend was deprecated 5 years ago and shouldn't be used. You need 'idmap config' lines for the 'SHORTDOMAINNAME' domain, I would suggest using the idmap 'rid' backend. If you can post the entire smb.conf, I will suggest alterations that you can make, you could then pass these on to UNRAID. Rowland