ML Wong
2016-Jan-25 17:30 UTC
[Samba] troubleshoot samba - Could not convert sid - problem
Environment: try to join and setup simple file-share in a sub-domain off from an AD forest which operates under 2008R2 forest, and domain functional level; while keeping primary domain for SSH remote logins Samba is running Version 3.6.23-24.el6_7 running on CentOS6.7. RPM based 'net ads join -k' , 'net ads keytab list', 'net testjoin -k' reflected positive results. I can successfully join to the forest without any issues. i also ran 'net ads status -k' to verify if a machine account can be queried from the member server. For example, When i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back without issues. And, based on my privileges in AD, i can verify the SID is equal as what i can see from ADUC. But, when i ran 'wbinfo -i DOMAIN\\user1', i always get "Could not convert sid [the-long-SID] NT_STATUS_NO_SUCH_USER" error in my samba.log (which i specify in my smb.conf). I ran a series of Google search, most of the searches tell me pointed out that this is mostly related to the "idmap" mis-configuration. Each time i changed the range for idmap, i would 'net cache flush', and '/bin/rm /var/lib/samba/*.tdb', and restarted nmb, smb, and winbind. But, obviously, changing different ranges does not really help with our environment. Below is my smb.conf (with fake domain-names), can i ask where i should look at for my troubleshooting: Any pointers and opinions will be appreciated. ### # Global Setting ### [global] realm = DOMAIN2.REGION2.MS.LOCAL workgroup = DOMAIN2 netbios name = FS02 security = ADS kerberos method = secrets and keytab encrypt passwords = yes # idmap config * : backend = tdb idmap config * : range = 1000000-9999999 idmap config DOMAIN2 : base_rid = 1000 idmap config DOMAIN2 : backend = rid idmap config DOMAIN2 : range = 10000-999999 invalid users = root # winbind nss info = rfc2307 winbind trusted domains only = no winbind refresh tickets = yes winbind enum users = no winbind enum groups = no winbind nested groups = yes # load printers = no printcap name = /dev/null # # Logging # log file = /var/log/samba/samba.log log level = 9 max log size = 1048576 ### # Share Definitions ### [testshare] comment = samba cifs share test only path = /opt/software force group = "@DOMAIN2\sysadmins" browsable = no writable = yes read only = no force create mode = 0660 create mask = 0770 directory mask = 0770 force directory mode = 0770 access based share enum = yes valid users = "@DOMAIN2\sysadmins" admin users = "@DOMAIN2\sysadmins" guest ok = no hide unreadable = yes
Rowland penny
2016-Jan-25 17:53 UTC
[Samba] troubleshoot samba - Could not convert sid - problem
On 25/01/16 17:30, ML Wong wrote:> Environment: try to join and setup simple file-share in a sub-domain off > from an AD forest which operates under 2008R2 forest, and domain functional > level; while keeping primary domain for SSH remote logins > > Samba is running Version 3.6.23-24.el6_7 running on CentOS6.7. RPM based > > 'net ads join -k' , 'net ads keytab list', 'net testjoin -k' reflected > positive results. I can successfully join to the forest without any issues. > i also ran 'net ads status -k' to verify if a machine account can be > queried from the member server. > > For example, When i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back > without issues. And, based on my privileges in AD, i can verify the SID is > equal as what i can see from ADUC. But, when i ran 'wbinfo -i > DOMAIN\\user1', i always get "Could not convert sid [the-long-SID] > NT_STATUS_NO_SUCH_USER" error in my samba.log (which i specify in my > smb.conf). I ran a series of Google search, most of the searches tell me > pointed out that this is mostly related to the "idmap" mis-configuration. > Each time i changed the range for idmap, i would 'net cache flush', and > '/bin/rm /var/lib/samba/*.tdb', and restarted nmb, smb, and winbind. But, > obviously, changing different ranges does not really help with our > environment. > > Below is my smb.conf (with fake domain-names), can i ask where i should > look at for my troubleshooting: Any pointers and opinions will be > appreciated. > > ### > > # Global Setting > > ### > > [global] > > realm = DOMAIN2.REGION2.MS.LOCAL > > workgroup = DOMAIN2 > > netbios name = FS02 > > security = ADS > > kerberos method = secrets and keytab > > encrypt passwords = yes > > # > > idmap config * : backend = tdb > > idmap config * : range = 1000000-9999999 > > > idmap config DOMAIN2 : base_rid = 1000 > > idmap config DOMAIN2 : backend = rid > > idmap config DOMAIN2 : range = 10000-999999 > > invalid users = root > > # > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind refresh tickets = yes > > winbind enum users = no > > winbind enum groups = no > > winbind nested groups = yes > > # > > load printers = no > > printcap name = /dev/null > > # > > # Logging > > # > > log file = /var/log/samba/samba.log > > log level = 9 > > max log size = 1048576 > > ### > > # Share Definitions > > ### > > [testshare] > > comment = samba cifs share test only > > path = /opt/software > > force group = "@DOMAIN2\sysadmins" > > browsable = no > > writable = yes > > read only = no > > force create mode = 0660 > > create mask = 0770 > > directory mask = 0770 > > force directory mode = 0770 > > access based share enum = yes > > valid users = "@DOMAIN2\sysadmins" > > admin users = "@DOMAIN2\sysadmins" > > guest ok = no > > hide unreadable = yesOK, you have this in your smb.conf: workgroup = DOMAIN2 You also say <i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back>, you also say < i ran 'wbinfo -i DOMAIN\\user1'> Is this a typo ? if not, I think this is your problem. smb.conf is setup to obtain the info for DOMAIN2 and will ignore DOMAIN as it is not its workgroup. Rowland
Rowland penny
2016-Jan-26 10:10 UTC
[Samba] troubleshoot samba - Could not convert sid - problem
On 26/01/16 00:32, ML Wong wrote:> Thanks for the pointer, Rowland. But i don't think i have avahi-daemon > running. > $ sudo chkconfig --list | grep -i avahi > $ > Any other thoughts? > > thanks, > Melvin > >The only other possible problem I can see is 'invalid users = root', this is meant to be used in a share and you have it in [global]. You could also check what you have in /etc/krb5.conf and if /etc/resolv.conf points to your AD DC. You could also check if the firewall is running and if so, is it blocking a required port, you could also check selinux. Rowland
ML Wong
2016-Jan-28 00:15 UTC
[Samba] troubleshoot samba - Could not convert sid - problem
Kerberos - i can see the entries once i typed 'net ads keytab list' . Both in the format 'host/*', and the 'hostname$' with different encryption algorithm. DNS is a good pointer. i did use 'dig' to check all the SRV records, (_ldap, _kpasswd, _kerberos, _gc) they all come back with good answers. SELinux is disabled, and iptables is disabled for my troubleshooting. Rowland, to your knowledge, as i have debug level 10 turned on, below log excerpt shows the member-server can find the SID from the AD, but could not convert the SID to UID. Am i right? When i did the google search, it usually means idmap configuration is out of range. But, i really doubt that with the range of 10000-9999999 would be a problem. And, the thing which puzzles me the most is when doing: "wbinfo -S S-1-5-21-2122386970-1603999544-1328175400-27912" can convert the SID fine to 36912 without an error. So, why does winbind still complain coverting ?? [2016/01/27 16:08:53.952847, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser in: struct wbint_QueryUser sid : * sid : S-1-5-21-2122386970-1603999544-1328175400-27912 [2016/01/27 16:08:53.952932, 10] winbindd/winbindd_cache.c:4950(wcache_fetch_ndr) Entry has wrong sequence number: 121679380 [2016/01/27 16:08:53.955010, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser out: struct wbint_QueryUser info : * info: struct wbint_userinfo acct_name : NULL full_name : NULL homedir : NULL shell : NULL primary_gid : 0x0000000000000000 (0) user_sid : S-0-0 group_sid : S-0-0 result : NT_STATUS_NO_SUCH_USER [2016/01/27 16:08:53.955221, 5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-2122386970-1603999544-1328175400-27912: NT_STATUS_NO_SUCH_USER [2016/01/27 16:08:53.955264, 10] winbindd/winbindd.c:707(wb_request_done) wb_request_done[15036:GETPWNAM]: NT_STATUS_NO_SUCH_USER [2016/01/27 16:08:53.955311, 10] winbindd/winbindd.c:768(winbind_client_response_written) winbind_client_response_written[15036:GETPWNAM]: delivered response to client [2016/01/27 16:08:53.955876, 6] winbindd/winbindd.c:870(winbind_client_request_read) closing socket 32, client exited On Tue, Jan 26, 2016 at 2:10 AM, Rowland penny <rpenny at samba.org> wrote:> On 26/01/16 00:32, ML Wong wrote: > >> Thanks for the pointer, Rowland. But i don't think i have avahi-daemon >> running. >> $ sudo chkconfig --list | grep -i avahi >> $ >> Any other thoughts? >> >> thanks, >> Melvin >> >> >> > The only other possible problem I can see is 'invalid users = root', this > is meant to be used in a share and you have it in [global]. > > You could also check what you have in /etc/krb5.conf and if > /etc/resolv.conf points to your AD DC. You could also check if the firewall > is running and if so, is it blocking a required port, you could also check > selinux. > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >