I'm setting up a freebsd server which will authenticate against an Active Directory I mean: the server will NOT have any local users (except mandatory and minimum required for management and configuration) and will authenticate requests for login and access FOR EVERY SERVICE against an Active Directory Server I have configured the samba service and currently I can login to local terminal, ssh, smtp and pop3 services using local or AD users and password. Each service authenticates correctly the user, first trying on AD domain then, if failing, validating against local passwd db The problem is that I get this error every 30 seconds rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-549 I get this message for every builtin group in Active Directory Domain This error doesn't cause any problem or mulfunction to running services (ssh, smtp, pop3, etc). But it's really annoying and causes log file to grow up in size very very quickly as far as I can understand Samba is trying to associate BUILTIN groups with its local copy, but it doesn't have allowance for the operation (and in fact I do not want this) What can i do to stop this error from coming out every 30 seconds ? What have I missed in the configuration so that Samba try to copy the BUILTIN groups ? Here is my smbd configuration [global] workgroup = mydomain realm = mydomain.it security = ADS allow trusted domains = No idmap backend = idmap_rid:DMSWARE= 1000-100000 idmap uid = 1000-100000 idmap gid = 1000-100000 template homedir = /home/%U template shell = /bin/sh winbind cache time = 3600 winbind nested groups = Yes winbind use default domain = Yes syslog only = Yes # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts add user script = /usr/sbin/pw useradd %u add group script = /usr/sbin/groupadd %g ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u delete user script = /usr/sbin/pw userdel %u ; delete user from group script = /usr/sbin/deluser %u %g delete group script = /usr/sbin/pw groupdel %g and here is my PAM stack for /etc/pam.d/system # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_winbind.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password password sufficient pam_winbind.so try_first_pass #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass thanks for every help or hint you can give me.
Gianluca Culot
2007-May-03 23:38 UTC
R: [Samba] Samba3 : no suitable range available for sid
I'm setting up a freebsd server which will authenticate against an Active Directory I mean: the server will NOT have any local users (except mandatory and minimum required for management and configuration) and will authenticate requests for login and access FOR EVERY SERVICE against an Active Directory Server I have configured the samba service and currently I can login to local terminal, ssh, smtp and pop3 services using local or AD users and password. Each service authenticates correctly the user, first trying on AD domain then, if failing, validating against local passwd db The problem is that I get this error every 30 seconds rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-549 I get this message for every builtin group in Active Directory Domain This error doesn't cause any problem or mulfunction to running services (ssh, smtp, pop3, etc). But it's really annoying and causes log file to grow up in size very very quickly as far as I can understand Samba is trying to associate BUILTIN groups with its local copy, but it doesn't have allowance for the operation (and in fact I do not want this) What can i do to stop this error from coming out every 30 seconds ? What have I missed in the configuration so that Samba try to copy the BUILTIN groups ? Here is my smbd configuration [global] workgroup = mydomain realm = mydomain.it security = ADS allow trusted domains = No idmap backend = idmap_rid:DMSWARE= 1000-100000 idmap uid = 1000-100000 idmap gid = 1000-100000 template homedir = /home/%U template shell = /bin/sh winbind cache time = 3600 winbind nested groups = Yes winbind use default domain = Yes syslog only = Yes # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts add user script = /usr/sbin/pw useradd %u add group script = /usr/sbin/groupadd %g ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u delete user script = /usr/sbin/pw userdel %u ; delete user from group script = /usr/sbin/deluser %u %g delete group script = /usr/sbin/pw groupdel %g and here is my PAM stack for /etc/pam.d/system # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_winbind.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password password sufficient pam_winbind.so try_first_pass #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass thanks for every help or hint you can give me. --------------------------------------------------------------------- Any Help for this ????