Himanshi Yadav
2023-Jul-28 16:35 UTC
[Samba] check_account: Failed to find local account with UID" issue / The university of Chicago
Hi Experts,
We encountered a weird issue after restarting the server. Seems everything
working fine on the configuration side but the user?s not able to authenticate
with the Samba server. Can you please help to investigate the issue?
Our setup details and configuration file + error logs + service status.
Samba:- 4.18.3-0
CentOS Linux release 8.4.2105
Authentication mechanism is SSSD
[root at midway3-dm1 samba]# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is
deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
clustering = Yes
idmap cache time = 1
idmap negative cache time = 1
kerberos method = system keytab
log file = /var/log/samba/log.%m
max log size = 50
netbios name = DMCIFS
realm = AD.UCHICAGO.EDU
security = ADS
server min protocol = SMB3_02
server string = Samba Server Version %v
winbind cache time = 1
workgroup = AD
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:veto_appledouble = no
fruit:posix_rename = yes
fruit:model = MacSamba
fruit:metadata = stream
fileid:algorithm = fsname
idmap config ad : range = 1401-2147483647
idmap config ad : backend = sss
idmap config * : range = 2147483648-3000000000
idmap config * : backend = tdb2
hosts allow = 127. 128.135.0.0/255.255.0.0 205.208.0.0/255.255.128.0
10.0.0.0/255.0.0.0 192.170.192.0/255.255.224.0
invalid users = root bin daemon adm lp sync shutdown halt mail operator
games ftp nobody dbus systemd-coredump systemd-resolve tss polkitd geoclue rtkit
pulse pipewire libstoragemgmt qemu usbmuxd unbound rpc gluster chrony
setroubleshoot saslauth dnsmasq radvd clevis cockpit-ws cockpit-wsinstance sssd
flatpak colord gdm rpcuser gnome-initial-setup sshd pesign avahi rngd tcpdump
munge
kernel oplocks = Yes
vfs objects = gpfs fileid catia fruit streams_xattr
[root at midway3-dm1 samba]# wbinfo -D ADLOCAL
Name : ADLOCAL
Alt_Name : ad.local
SID : S-1-5-21-1644491937-1604221776-725345543
Active Directory : Yes
Native : Yes
Primary : No
Error file /////
[2023/07/28 10:57:18.459537, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[2023/07/28 10:57:20.478287, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[2023/07/28 10:57:20.484230, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[root at midway3-dm1 samba]# wbinfo -s
S-1-5-21-1644491937-1604221776-725345543-304562
ADLOCAL\dgmartin 1
[root at midway3-dm1 samba]# id dgmartin
uid=2088466063(dgmartin) gid=2088466063(dgmartin)
groups=2088466063(dgmartin),10008(rcc),10741(pi-vitelli)
[root at midway3-dm1 samba]# smbstatus
Samba version 4.18.3
PID Username Group Machine
Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
Service pid Machine Connected at Encryption
Signing
---------------------------------------------------------------------------------------------
No locked files
[root at midway3-dm1 samba]# systemctl status smb.service
? smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset:
disabled)
Active: active (running) since Fri 2023-07-28 09:33:17 CDT; 1h 25min ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 1084106 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 4 (limit: 1233751)
Memory: 7.3M
CGroup: /system.slice/smb.service
??1084106 /usr/sbin/smbd --foreground --no-process-group
??1084110 /usr/sbin/smbd --foreground --no-process-group
??1084111 /usr/sbin/smbd --foreground --no-process-group
??1246399 /usr/sbin/smbd --foreground --no-process-group
Jul 28 10:58:39 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:39.579270, 0] ../../source3/auth/auth_util.c:1936(check_account)
Jul 28 10:58:39 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to
find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:41.590064, 0] ../../source3/auth/auth_util.c:1936(check_account)
Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to
find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:41.595463, 0] ../../source3/auth/auth_util.c:1936(check_account)
Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to
find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:43.605547, 0] ../../source3/auth/auth_util.c:1936(check_account)
Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to
find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:43.611198, 0] ../../source3/auth/auth_util.c:1936(check_account)
Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to
find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
Rowland Penny
2023-Jul-28 17:05 UTC
[Samba] check_account: Failed to find local account with UID" issue / The university of Chicago
On 28/07/2023 17:35, Himanshi Yadav via samba wrote:> Hi Experts, > > We encountered a weird issue after restarting the server. Seems everything working fine on the configuration side but the user?s not able to authenticate with the Samba server. Can you please help to investigate the issue? > > Our setup details and configuration file + error logs + service status. > > Samba:- 4.18.3-0 > CentOS Linux release 8.4.2105 > Authentication mechanism is SSSD > > [root at midway3-dm1 samba]# testparm /etc/samba/smb.conf > Load smb config files from /etc/samba/smb.conf > lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated > Loaded services file OK. > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) > > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > clustering = Yes > idmap cache time = 1 > idmap negative cache time = 1 > kerberos method = system keytab > log file = /var/log/samba/log.%m > max log size = 50 > netbios name = DMCIFS > realm = AD.UCHICAGO.EDU > security = ADS > server min protocol = SMB3_02 > server string = Samba Server Version %v > winbind cache time = 1 > workgroup = AD > fruit:delete_empty_adfiles = yes > fruit:wipe_intentionally_left_blank_rfork = yes > fruit:veto_appledouble = no > fruit:posix_rename = yes > fruit:model = MacSamba > fruit:metadata = stream > fileid:algorithm = fsname > idmap config ad : range = 1401-2147483647 > idmap config ad : backend = sss > idmap config * : range = 2147483648-3000000000 > idmap config * : backend = tdb2 > hosts allow = 127. 128.135.0.0/255.255.0.0 205.208.0.0/255.255.128.0 10.0.0.0/255.0.0.0 192.170.192.0/255.255.224.0 > invalid users = root bin daemon adm lp sync shutdown halt mail operator games ftp nobody dbus systemd-coredump systemd-resolve tss polkitd geoclue rtkit pulse pipewire libstoragemgmt qemu usbmuxd unbound rpc gluster chrony setroubleshoot saslauth dnsmasq radvd clevis cockpit-ws cockpit-wsinstance sssd flatpak colord gdm rpcuser gnome-initial-setup sshd pesign avahi rngd tcpdump munge > kernel oplocks = Yes > vfs objects = gpfs fileid catia fruit streams_xattr > > > [root at midway3-dm1 samba]# wbinfo -D ADLOCAL > Name : ADLOCAL > Alt_Name : ad.local > SID : S-1-5-21-1644491937-1604221776-725345543 > Active Directory : Yes > Native : Yes > Primary : No > > > Error file ///// > [2023/07/28 10:57:18.459537, 0] ../../source3/auth/auth_util.c:1936(check_account) > check_account: Failed to find local account with UID 2147483648 for SID S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])Hmm, your workgroup is 'AD' (see above), but it is a user from a workgroup called 'ADLOCAL' that is trying to connect, unless it is sanitising error ? However, that may be correct, because the ID '2147483648' is part of the default '*' domain.> [2023/07/28 10:57:20.478287, 0] ../../source3/auth/auth_util.c:1936(check_account) > check_account: Failed to find local account with UID 2147483648 for SID S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin]) > [2023/07/28 10:57:20.484230, 0] ../../source3/auth/auth_util.c:1936(check_account) > check_account: Failed to find local account with UID 2147483648 for SID S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin]) > > [root at midway3-dm1 samba]# wbinfo -s S-1-5-21-1644491937-1604221776-725345543-304562 > ADLOCAL\dgmartin 1 > > > [root at midway3-dm1 samba]# id dgmartin > uid=2088466063(dgmartin) gid=2088466063(dgmartin) groups=2088466063(dgmartin),10008(rcc),10741(pi-vitelli) > > [root at midway3-dm1 samba]# smbstatus > > Samba version 4.18.3 > PID Username Group Machine Protocol Version Encryption Signing > ---------------------------------------------------------------------------------------------------------------------------------------- > > Service pid Machine Connected at Encryption Signing > --------------------------------------------------------------------------------------------- > > No locked files > > [root at midway3-dm1 samba]# systemctl status smb.service > ? smb.service - Samba SMB Daemon > Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled) > Active: active (running) since Fri 2023-07-28 09:33:17 CDT; 1h 25min ago > Docs: man:smbd(8) > man:samba(7) > man:smb.conf(5) > Main PID: 1084106 (smbd) > Status: "smbd: ready to serve connections..." > Tasks: 4 (limit: 1233751) > Memory: 7.3M > CGroup: /system.slice/smb.service > ??1084106 /usr/sbin/smbd --foreground --no-process-group > ??1084110 /usr/sbin/smbd --foreground --no-process-group > ??1084111 /usr/sbin/smbd --foreground --no-process-group > ??1246399 /usr/sbin/smbd --foreground --no-process-group > > Jul 28 10:58:39 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28 10:58:39.579270, 0] ../../source3/auth/auth_util.c:1936(check_account) > Jul 28 10:58:39 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to find local account with UID 2147483648 for SID S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin]) > Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28 10:58:41.590064, 0] ../../source3/auth/auth_util.c:1936(check_account) > Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to find local account with UID 2147483648 for SID S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin]) > Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28 10:58:41.595463, 0] ../../source3/auth/auth_util.c:1936(check_account) > Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to find local account with UID 2147483648 for SID S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin]) > Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28 10:58:43.605547, 0] ../../source3/auth/auth_util.c:1936(check_account) > Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to find local account with UID 2147483648 for SID S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin]) > Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28 10:58:43.611198, 0] ../../source3/auth/auth_util.c:1936(check_account) > Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: check_account: Failed to find local account with UID 2147483648 for SID S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin]) >How can I put this politely ? Samba does not produce sssd or idmap-sss This means that Samba cannot really provide support for sssd, you need to ask the sssd-users mailing list. There is however a problem with the way that you are running Samba with sssd, not even red-hat supports such a setup. Note that there are those that say 'you just need to run winbind as well', which to me totally misses the point, you only need one and if you are running Samba as a Unix domain member, you need to run winbind, so there is no real point to running sssd as well. If you just require authentication from AD, then sssd is great, but the moment Samba enters the scene, please do not use sssd. I am sorry if this not what you wanted to hear, but it appears to be how it is. Also, before anyone claims that I hate sssd, I do not, I just do not see the point in running it with Samba, Samba has enough of its own idmap backends. Rowland