thr3ads.net - samba - [Samba] Failed to convert SID to a UID [Jun 2023]

If this information is useful, please help other people find it:
Share via:

Christian Naumer

2023-Jun-12 06:04 UTC

[Samba] Failed to convert SID to a UID

Am Samstag, dem 10.06.2023 um 20:57 +0100 schrieb Rowland Penny via
samba:> 
> 
> On 10/06/2023 20:37, Christian Naumer via samba wrote:
> > That might be the right direction. The standard kerb5.conf on
rhel/rocky breaks samba. At
> > least for us. That is why we always replace it with a custom one.
> 
> It might be an idea if we could see your definition of the standard 
> krb5.conf. I ask this because I have set up a Unix domain member on both 
> Rocky Linux 8 and 9 with my idea of the standard krb5.conf and they both 
> worked.

In Rocky 8 we have this as standard which we usually replace:

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

I think it does not like the "crypto-policies" file in the includedir.
But I am unsure. Maybe
this is different now but it used to be a Problem.

Here is what we replace it with:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLEREALM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_ccache_name = KEYRING:persistent:%{uid}

Regards

Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20230612/60a83251/signature.sig>

Rowland Penny

2023-Jun-12 06:55 UTC

head link

[Samba] Failed to convert SID to a UID

On 12/06/2023 07:04, Christian Naumer via samba wrote:> Am Samstag, dem 10.06.2023 um 20:57 +0100 schrieb Rowland Penny via samba:
>>
>>
>> On 10/06/2023 20:37, Christian Naumer via samba wrote:
>>> That might be the right direction. The standard kerb5.conf on
rhel/rocky breaks samba. At
>>> least for us. That is why we always replace it with a custom one.
>>
>> It might be an idea if we could see your definition of the standard
>> krb5.conf. I ask this because I have set up a Unix domain member on
both
>> Rocky Linux 8 and 9 with my idea of the standard krb5.conf and they
both
>> worked.
> 
> 
> In Rocky 8 we have this as standard which we usually replace:
> 
> # To opt out of the system crypto-policies configuration of krb5, remove
the
> # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
> includedir /etc/krb5.conf.d/
> 
> [logging]
>      default = FILE:/var/log/krb5libs.log
>      kdc = FILE:/var/log/krb5kdc.log
>      admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>      dns_lookup_realm = false
>      ticket_lifetime = 24h
>      renew_lifetime = 7d
>      forwardable = true
>      rdns = false
>      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
>      spake_preauth_groups = edwards25519
> #    default_realm = EXAMPLE.COM
>      default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
> # EXAMPLE.COM = {
> #     kdc = kerberos.example.com
> #     admin_server = kerberos.example.com
> # }
> 
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
> 
> I think it does not like the "crypto-policies" file in the
includedir. But I am unsure. Maybe
> this is different now but it used to be a Problem.
> 
> Here is what we replace it with:
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> default_realm = EXAMPLEREALM.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> default_ccache_name = KEYRING:persistent:%{uid}
> 
> Regards
> 
> Christian
> 
> 
I used this /etc/krb5.conf on a machine called 'rocky9'

[libdefaults]
   default_realm = SAMDOM.EXAMPLE.COM
   dns_lookup_kdc = false
   dns_lookup_realm = true

[realms]
	SAMDOM.EXAMPLE.COM = {
		default_domain = samdom.example.com
	}

[domain_realm]
	ROCKY9 = SAMDOM.EXAMPLE.COM

I also did this:

sudo rm /etc/krb5.conf.d/crypto-policies

I ended up with a fully working Unix domain member using the 'rid' idmap
backend.

Rowland

samba - Jun 2023 - Failed to convert SID to a UID

[Samba] Failed to convert SID to a UID

[Samba] Failed to convert SID to a UID