samba - Feb 2016 - samba4 file server 4.3.0 authenticating against Samba4 4.1.7 AD DC

Hello list:
I recently installed and configured samba4 file server.I add it to domain
succesfully ,then configuring shares with  but I couldn´t acces to shares.
I provisionesd samba AD DC without rfc2307.This log.samba say:

[2016/02/17 16:09:04.653139,  0]

../source4/auth/unix_token.c:107(security_token_to_unix_token)

  *Unable to convert SID (S-1-5-32-554) at index 7 in user token to a GID. *

*Conversion was returned as type 0, full token:*

[2016/02/17 16:09:04.653236,  0]

../libcli/security/security_token.c:63(security_token_debug)

  Security token SIDs (9):

    SID[  0]: S-1-5-21-1345859412-382380422-3804354134-1115

    SID[  1]: S-1-5-21-1345859412-382380422-3804354134-513

    SID[  2]: S-1-5-21-1345859412-382380422-3804354134-512

    SID[  3]: S-1-5-21-1345859412-382380422-3804354134-572

    SID[  4]: S-1-1-0

    SID[  5]: S-1-5-2

    SID[  6]: S-1-5-11

    SID[  7]: S-1-5-32-554

    SID[  8]: S-1-5-32-545

   Privileges (0x          800000):

    Privilege[  0]: SeChangeNotifyPrivilege

   Rights (0x             400):

    Right[  0]: SeRemoteInteractiveLogonRight

[2016/02/17 16:09:05.023896,  3]

../source4/smb_server/tcon.c:106(smbsrv_tcon_destructor)

  ipv4:192.168.17.3:50088 closed connection to service IPC$

this is mi smb.conf

samba4 dc# Global parameters

[global]

        security = ADS

        workgroup = MYDOMAIN

        realm = MYDOMAIN.TEST

        netbios name = COPERNICO

        server services = +smb

        password server = atlantis.mydomain.test



        encrypt passwords = yes

        idmap config *:backend = tdb

        idmap config *:range = 70001-80000

        #dmap config MYDOMAIN:backend = ad

        idmap config  MYDOMAIN = 3000000-4000000





        winbind use default domain = yes

        winbind enum users = yes

        winbind enum groups = yes


        log level = 3

        domain logons = yes



        vfs objects = acl_xattr

        map acl inherit = yes

        store dos attributes = yes

####################shares###################################################



[usuarios]



        path = /home/salvas/usuarios

        read only  = no

        browseable = yes

        valid users = "@MYDOMAIN\domain admins"

 I appreciated anything help

Best Regards

On 17/02/16 21:47, Dania Ramirez Moya wrote:
> Hello list:
> I recently installed and configured samba4 file server.I add it to domain
> succesfully ,then configuring shares with  but I couldn´t acces to shares.
> I provisionesd samba AD DC without rfc2307.
Why didn't you provision with rfc2307 ?

Go here: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

Setup your Samba AD DC with rfc2307.

>   This log.samba say:
>
> [2016/02/17 16:09:04.653139,  0]
>
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>
>    *Unable to convert SID (S-1-5-32-554) at index 7 in user token to a GID.
*
>
> *Conversion was returned as type 0, full token:*
>
> [2016/02/17 16:09:04.653236,  0]
>
> ../libcli/security/security_token.c:63(security_token_debug)
>
>    Security token SIDs (9):
>
>      SID[  0]: S-1-5-21-1345859412-382380422-3804354134-1115
>
>      SID[  1]: S-1-5-21-1345859412-382380422-3804354134-513
>
>      SID[  2]: S-1-5-21-1345859412-382380422-3804354134-512
>
>      SID[  3]: S-1-5-21-1345859412-382380422-3804354134-572
>
>      SID[  4]: S-1-1-0
>
>      SID[  5]: S-1-5-2
>
>      SID[  6]: S-1-5-11
>
>      SID[  7]: S-1-5-32-554
>
>      SID[  8]: S-1-5-32-545
>
>     Privileges (0x          800000):
>
>      Privilege[  0]: SeChangeNotifyPrivilege
>
>     Rights (0x             400):
>
>      Right[  0]: SeRemoteInteractiveLogonRight
>
> [2016/02/17 16:09:05.023896,  3]
>
> ../source4/smb_server/tcon.c:106(smbsrv_tcon_destructor)
>
>    ipv4:192.168.17.3:50088 closed connection to service IPC$
>
> this is mi smb.conf
>
> samba4 dc# Global parameters
>
> [global]
>
>          security = ADS
>
>          workgroup = MYDOMAIN
>
>          realm = MYDOMAIN.TEST
>
>          netbios name = COPERNICO
>
>          server services = +smb
>
>          password server = atlantis.mydomain.test
>
>
>
>          encrypt passwords = yes
>
>          idmap config *:backend = tdb
>
>          idmap config *:range = 70001-80000
>
>          #dmap config MYDOMAIN:backend = ad
>
>          idmap config  MYDOMAIN = 3000000-4000000
>
>
>
>
>
>          winbind use default domain = yes
>
>          winbind enum users = yes
>
>          winbind enum groups = yes
>
>
>          log level = 3
>
>          domain logons = yes
>
>
>
>          vfs objects = acl_xattr
>
>          map acl inherit = yes
>
>          store dos attributes = yes
>
>
####################shares###################################################
>
>
>
> [usuarios]
>
>
>
>          path = /home/salvas/usuarios
>
>          read only  = no
>
>          browseable = yes
>
>          valid users = "@MYDOMAIN\domain admins"
>

Is the above smb.conf from a DC or a domain member, either way it is 
wrong, if it is from a domain member, go here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Read the page and follow the links and set up the domain member correctly.

If the above smb.conf is from a DC, I would suggest you start again, but 
this time use rfc2307, see here for DC instructions:

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

Rowland