Jonathan Hunter
2015-Jun-05 09:44 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
Hi,
I have now added rfc2307 to my domain - I extended the schema, have
added UIDs to some (not all yet) of my users and groups, and have my
smb.conf with this currently:
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind refresh tickets = Yes
winbind expand groups = 8
#idmap config *:range = 900000-999999
This works just fine on one of my DCs, but the other is proving more
problematic.
See below for more detail on the process, but the issue is that right
now, I now have hundreds (thousands) of messages appearing in syslog
along the lines of:
Unable to convert SID (S-1-1-0) at index 5 in user token to a GID.
Conversion was returned as type 0, full token:
'net cache list' confirms:
Key: IDMAP/SID2XID/S-1-1-0 Timeout: 10:41:35 Value: -1:N
I've uncommented the idmap line above, to no effect.
The same config works just fine on the other DC.
What can I check next?
Thanks,
Jonathan
I can't explain the initial issues I had on this DC, either. After
adding rfc2307, this DC simply wouldn't resolve the new UIDs I had
added, despite running "net cache flush". Even when shutting samba
down, then running "net cache flush", then starting samba back, I had
a very weird time where running "id <user>" was just fine at
first,
returning the rfc2307-defined UID, but then running the same command a
few seconds later, it had reverted back to 3000007!
I finally used the following to restart - clearing out the idmap.ldb
file - and this seemed to work better, but I still have the issue
above:
service samba4 stop;net cache flush;rm
/usr/local/samba/private/idmap.ldb;service samba4 start
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
L.P.H. van Belle
2015-Jun-05 10:00 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
really...> winbind expand groups = 8This wil make your authentication very slow.. for your problem, please post your complete smb.conf im missing a lot.. Like.. ## map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config DOMAIN : backend = ad idmap config DOMAIN : schema_mode = rfc2307 idmap config DOMAIN : range = 10000-3999999 # Use home directory and shell information from AD winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind expand groups = 3 find these files : gencache_notrans.tdb gencache.tdb stop samba, remove these files, start samba. run : net idmap delete on both DC's. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: jmhunter1 at gmail.com >[mailto:samba-bounces at lists.samba.org] Namens Jonathan Hunter >Verzonden: vrijdag 5 juni 2015 11:45 >Aan: samba >Onderwerp: [Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0) > >Hi, > >I have now added rfc2307 to my domain - I extended the schema, have >added UIDs to some (not all yet) of my users and groups, and have my >smb.conf with this currently: > > idmap_ldb:use rfc2307 = yes > winbind nss info = rfc2307 > > winbind use default domain = Yes > winbind enum users = Yes > winbind enum groups = Yes > winbind refresh tickets = Yes > winbind expand groups = 8 > > #idmap config *:range = 900000-999999 > >This works just fine on one of my DCs, but the other is proving more >problematic. > >See below for more detail on the process, but the issue is that right >now, I now have hundreds (thousands) of messages appearing in syslog >along the lines of: >Unable to convert SID (S-1-1-0) at index 5 in user token to a GID. >Conversion was returned as type 0, full token: > >'net cache list' confirms: >Key: IDMAP/SID2XID/S-1-1-0 Timeout: 10:41:35 Value: -1:N > >I've uncommented the idmap line above, to no effect. > >The same config works just fine on the other DC. > >What can I check next? > >Thanks, > >Jonathan > >I can't explain the initial issues I had on this DC, either. After >adding rfc2307, this DC simply wouldn't resolve the new UIDs I had >added, despite running "net cache flush". Even when shutting samba >down, then running "net cache flush", then starting samba back, I had >a very weird time where running "id <user>" was just fine at first, >returning the rfc2307-defined UID, but then running the same command a >few seconds later, it had reverted back to 3000007! > >I finally used the following to restart - clearing out the idmap.ldb >file - and this seemed to work better, but I still have the issue >above: >service samba4 stop;net cache flush;rm >/usr/local/samba/private/idmap.ldb;service samba4 start > >-- >"If we knew what it was we were doing, it would not be called >research, would it?" > - Albert Einstein >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2015-Jun-05 10:13 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
On 05/06/15 10:44, Jonathan Hunter wrote:> Hi,> > I have now added rfc2307 to my domain - I extended the schema, have > added UIDs to some (not all yet) of my users and groups, and have my > smb.conf with this currently: > > idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307 > > winbind use default domain = Yes winbind enum users = Yes winbind > enum groups = Yes winbind refresh tickets = Yes winbind expand groups > = 8 > > #idmap config *:range = 900000-999999 > > This works just fine on one of my DCs, but the other is proving more > problematic. > > See below for more detail on the process, but the issue is that > right now, I now have hundreds (thousands) of messages appearing in > syslog along the lines of: Unable to convert SID (S-1-1-0) at index 5 > in user token to a GID. Conversion was returned as type 0, full > token: > > 'net cache list' confirms: Key: IDMAP/SID2XID/S-1-1-0 Timeout: > 10:41:35 Value: -1:N > > I've uncommented the idmap line above, to no effect. > > The same config works just fine on the other DC. > > What can I check next? > > Thanks, > > Jonathan > > I can't explain the initial issues I had on this DC, either. After > adding rfc2307, this DC simply wouldn't resolve the new UIDs I had > added, despite running "net cache flush". Even when shutting samba > down, then running "net cache flush", then starting samba back, I > had a very weird time where running "id <user>" was just fine at > first, returning the rfc2307-defined UID, but then running the same > command a few seconds later, it had reverted back to 3000007! > > I finally used the following to restart - clearing out the idmap.ldb > file - and this seemed to work better, but I still have the issue > above: service samba4 stop;net cache flush;rm > /usr/local/samba/private/idmap.ldb;service samba4 start > Hi, what do you mean 'I extended the schema' ? How did you extend the schema and with what ? Rowland
Jonathan Hunter
2015-Jun-05 10:36 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
Thank you Lous - appreciated. On 5 June 2015 at 11:00, L.P.H. van Belle <belle at bazuin.nl> wrote:> really... >> winbind expand groups = 8 > This wil make your authentication very slow..Understood - I had that in from something else. Have commented it out for now, although I think it's unrelated to this :)> for your problem, please post your complete smb.conf > im missing a lot..See below - ta.> find these files : > gencache_notrans.tdb > gencache.tdb > > stop samba, remove these files, start samba.That didn't make a difference, unfortunately :(> run : net idmap deleteIs this different from 'net cache flush' (I guess so) - wouldn't this be cleared out by removing the tdb files though? The 'net idmap delete' command needs parameters and SIDs etc.. which would you recommend clearing?> on both DC's.That's an interesting point - I had been doing this on the problematic/faulty DC only. Would clearing any of these on the other DC have any effect on the problematic one?? smb.conf (sanitised etc): [global] log level = 0 workgroup = MYDOMAIN realm = mydomain.my.tld netbios name = MYSERVERNAME server role = active directory domain controller interfaces = eth0 lo bind interfaces only = yes server services = -dns dsdb:schema update allowed = true idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307 winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes #winbind expand groups = 8 idmap config *:backend = tdb idmap config *:range = 9000000-9099999 #idmap config MYDOMAIN:range = 10000-99999 #idmap config MYDOMAIN:backend = ad #idmap config MYDOMAIN:schema_mode = rfc2307 template shell = /bin/bash #log file = /usr/local/samba/var/log.%I include = /usr/local/samba/etc/smb.conf-%I load printers = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.my.tld/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [printers] path = /var/spool/samba printable = yes printing = CUPS [print$] path = /usr/local/samba/var/print$ comment = Printer Drivers writeable = yes [users] path = /home read only = no -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Jonathan Hunter
2015-Jun-05 10:41 UTC
[Samba] Added RFC2307 --> Unable to convert SID (S-1-1-0)
>From my .bash_history on the schema master DC, effectively:# sed -e 's/${DOMAINDN}/dc=MYDOMAIN,dc=MY,dc=TLD/g' \ -e 's/${NETBIOSNAME}/MYDOMAIN/g' \ -e 's/${NISDOMAIN}/MYDOMAIN/g' \ /usr/local/samba/share/setup/ypServ30.ldif > ypServ30-JMH.ldif # service samba4 stop # ldbmodify -H /usr/local/samba/private/sam.ldb ypServ30-JMH.ldif --option="dsdb:schema update allowed"=true Modified 55 records successfully # service samba4 start On 5 June 2015 at 11:13, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 05/06/15 10:44, Jonathan Hunter wrote: >> >> Hi, > >> >> I have now added rfc2307 to my domain - I extended the schema, have >> added UIDs to some (not all yet) of my users and groups, and have my >> smb.conf with this currently: >> >> idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307 >> >> winbind use default domain = Yes winbind enum users = Yes winbind >> enum groups = Yes winbind refresh tickets = Yes winbind expand groups >> = 8 >> >> #idmap config *:range = 900000-999999 >> >> This works just fine on one of my DCs, but the other is proving more >> problematic. >> >> See below for more detail on the process, but the issue is that >> right now, I now have hundreds (thousands) of messages appearing in >> syslog along the lines of: Unable to convert SID (S-1-1-0) at index 5 >> in user token to a GID. Conversion was returned as type 0, full >> token: >> >> 'net cache list' confirms: Key: IDMAP/SID2XID/S-1-1-0 Timeout: >> 10:41:35 Value: -1:N >> >> I've uncommented the idmap line above, to no effect. >> >> The same config works just fine on the other DC. >> >> What can I check next? >> >> Thanks, >> >> Jonathan >> >> I can't explain the initial issues I had on this DC, either. After >> adding rfc2307, this DC simply wouldn't resolve the new UIDs I had >> added, despite running "net cache flush". Even when shutting samba >> down, then running "net cache flush", then starting samba back, I >> had a very weird time where running "id <user>" was just fine at >> first, returning the rfc2307-defined UID, but then running the same >> command a few seconds later, it had reverted back to 3000007! >> >> I finally used the following to restart - clearing out the idmap.ldb >> file - and this seemed to work better, but I still have the issue >> above: service samba4 stop;net cache flush;rm >> /usr/local/samba/private/idmap.ldb;service samba4 start >> > > Hi, what do you mean 'I extended the schema' ? > How did you extend the schema and with what ? > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein