james.atwell365 at gmail.com
2023-Nov-16 18:14 UTC
[Samba] Account Unknown: SID not resolvable
Hello, When viewing the Security tab of a user object I find 2 username/groups that display their SID as opposed to their username with Account Unknown. I tried to use 'wbinfo -s' with the SID but it's unable to return a result. Using a well know SID works without issue. At one point this domain used 'idmap_ldb:use rfc2307 = yes' in the smb.conf file when it was initially provisioned. It's no longer used on any DC and my understanding by removing, GID's will not be resolvable and should have no affect on SID's. To aid in my troubleshooting, can someone share what security usernames and groups are created on a typical new user or group account? The two sid's I have with an unknown account name are as follows. s-1-5-21-940051827-2291820289-3341758437-526 s-1-5-21-940051827-2291820289-3341758437-527 Are there other things I should be looking at resolve this concern? Thank you.
On Thu, 16 Nov 2023 13:14:56 -0500 James Atwell via samba <samba at lists.samba.org> wrote:> Hello, > > > > When viewing the Security tab of a user object I find 2 > username/groups that display their SID as opposed to their username > with Account Unknown. I tried to use 'wbinfo -s' with the SID but > it's unable to return a result. Using a well know SID works without > issue. > > > > At one point this domain used 'idmap_ldb:use rfc2307 = yes' in the > smb.conf file when it was initially provisioned. It's no longer used > on any DC and my understanding by removing, GID's will not be > resolvable and should have no affect on SID's. > > > > To aid in my troubleshooting, can someone share what security > usernames and groups are created on a typical new user or group > account? > > > > The two sid's I have with an unknown account name are as follows. > > > > s-1-5-21-940051827-2291820289-3341758437-526 > > s-1-5-21-940051827-2291820289-3341758437-527 > >They are for a couple of groups that I haven't come across (yet) 'Key Admins' and 'Enterprise Key Admins' This is probably an artefact of you having 'ad dc functional level 2016' in your DCs smb.conf, Samba hasn't caught up yet. Rowland