Hello, On AD domain member in both versions of samba 4.6.11 and 4.7.3 I'm getting a lot of following messages: [2017/12/28 15:54:03.838907, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp) string_to_sid: SID msavin is not in a valid format msavin is my user name: # wbinfo -n msavin S-1-5-21-508332004-1178028025-157424832-1273 SID_USER (1) # wbinfo --lookup-sids S-1-5-21-508332004-1178028025-157424832-1273 S-1-5-21-508332004-1178028025-157424832-1273 -> <none>\mattiasz 1>From smb.conf:winbind use default domain = true winbind offline logon = false disable netbios = yes winbind trusted domains only = no allow trusted domains = no Any reason? Thank you, Matt
On Thu, 28 Dec 2017 16:44:26 -0500 Matt Savin via samba <samba at lists.samba.org> wrote:> Hello, > > On AD domain member in both versions of samba 4.6.11 and 4.7.3 I'm > getting a lot of following messages: > > [2017/12/28 15:54:03.838907, 3] > ../libcli/security/dom_sid.c:210(dom_sid_parse_endp) > string_to_sid: SID msavin is not in a valid format > > msavin is my user name: > > # wbinfo -n msavin > S-1-5-21-508332004-1178028025-157424832-1273 SID_USER (1) > # wbinfo --lookup-sids S-1-5-21-508332004-1178028025-157424832-1273 > S-1-5-21-508332004-1178028025-157424832-1273 -> <none>\mattiasz 1 > > From smb.conf: > > winbind use default domain = true > winbind offline logon = false > disable netbios = yes > winbind trusted domains only = no > allow trusted domains = no > > Any reason? >Please post the rest of the [global] part of your smb.conf What is the DC ? Rowland
First, can you please keep this onlist. On Thu, 28 Dec 2017 20:36:19 -0500 Matt Savin <matt at tegers.com> wrote:> Rowland, > > Thank you for your reply. Below is a global part of the smb.conf file: > > [global] > workgroup = DOMAINNAME > security = ads > realm = DOMAINNAME.LOCAL > kerberos method = secrets and keytab > kerberos encryption types = all > dedicated keytab file = /etc/krb5.keytab > > nt pipe support = no > > netbios name = HOSTNAME > disable netbios = yes > local master = no > smb ports = 445 > dns proxy = no > > encrypt passwords = yes > ldap server require strong auth = no > client ldap sasl wrapping = plain > > idmap config * : range = 16777216-33554431 > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config DOMAINNAME:backend = ad > idmap config DOMAINNAME:schema_mode = rfc2307 > idmap config DOMAINNAME:range = 80001-3100000 > idmap config DOMAINNAME:unix_primary_group = yes > idmap config DOMAINNAME:unix_nss_info = yes > > winbind refresh tickets = Yes > winbind use default domain = true > winbind trusted domains only = no > winbind offline logon = false > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > winbind expand groups = 1 > allow trusted domains = no > > inherit permissions = yes > acl allow execute always = yes > follow symlinks = yes > wide links = yes > unix extensions = no > hide dot files = no > map archive = no > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > log level = 3 > > Please let me know if you have any questions. > > Thank you, > Matt > >You might as well remove these, they are either default settings,duplicates or plain shouldn't be there. encrypt passwords = yes ldap server require strong auth = no client ldap sasl wrapping = plain idmap config * : range = 16777216-33554431 winbind trusted domains only = no winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes follow symlinks = yes These, whilst valid, should really be in shares. inherit permissions = yes acl allow execute always = yes wide links = yes hide dot files = no map archive = no Other than that, there doesn't seem to be anything else wrong, as long as you have given your users a uidNumber containing a unique id inside the 80001-3100000 range, you have also given them a gidNumber attribute containing a number inside the same range. This gidNumber must be the gidNumber of a group and this group will be used as the users primary group instead of Domain Users. If everything is correct, then you need to search AD for the two names and see what you get. Rowland
Rowland, Sorry for the personal reply: my email default is set to reply to the sender only. Removing all the lines from smb.conf you suggested didn't resolve the issue, still getting the same messages in the log. I'll have to put back: winbind enum users = yes winbind enum groups = yes because without these lines commands: getent passwd getent group return only local passwd and group entries, I prefer it to list AD entries also. Any other suggestions? Thank you very much for your help, Matt On Fri, Dec 29, 2017 at 5:20 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> > First, can you please keep this onlist. > > On Thu, 28 Dec 2017 20:36:19 -0500 > Matt Savin <matt at tegers.com> wrote: > > > Rowland, > > > > Thank you for your reply. Below is a global part of the smb.conf file: > > > > [global] > > workgroup = DOMAINNAME > > security = ads > > realm = DOMAINNAME.LOCAL > > kerberos method = secrets and keytab > > kerberos encryption types = all > > dedicated keytab file = /etc/krb5.keytab > > > > nt pipe support = no > > > > netbios name = HOSTNAME > > disable netbios = yes > > local master = no > > smb ports = 445 > > dns proxy = no > > > > encrypt passwords = yes > > ldap server require strong auth = no > > client ldap sasl wrapping = plain > > > > idmap config * : range = 16777216-33554431 > > idmap config *:backend = tdb > > idmap config *:range = 70001-80000 > > idmap config DOMAINNAME:backend = ad > > idmap config DOMAINNAME:schema_mode = rfc2307 > > idmap config DOMAINNAME:range = 80001-3100000 > > idmap config DOMAINNAME:unix_primary_group = yes > > idmap config DOMAINNAME:unix_nss_info = yes > > > > winbind refresh tickets = Yes > > winbind use default domain = true > > winbind trusted domains only = no > > winbind offline logon = false > > winbind nss info = rfc2307 > > winbind enum users = yes > > winbind enum groups = yes > > winbind expand groups = 1 > > allow trusted domains = no > > > > inherit permissions = yes > > acl allow execute always = yes > > follow symlinks = yes > > wide links = yes > > unix extensions = no > > hide dot files = no > > map archive = no > > > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > log level = 3 > > > > Please let me know if you have any questions. > > > > Thank you, > > Matt > > > > > > You might as well remove these, they are either default > settings,duplicates or plain shouldn't be there. > > encrypt passwords = yes > ldap server require strong auth = no > client ldap sasl wrapping = plain > idmap config * : range = 16777216-33554431 > winbind trusted domains only = no > winbind offline logon = false > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > follow symlinks = yes > > > These, whilst valid, should really be in shares. > > inherit permissions = yes > acl allow execute always = yes > wide links = yes > hide dot files = no > map archive = no > > Other than that, there doesn't seem to be anything else wrong, as long > as you have given your users a uidNumber containing a unique id inside > the 80001-3100000 range, you have also given them a gidNumber attribute > containing a number inside the same range. This gidNumber must be the > gidNumber of a group and this group will be used as the users primary > group instead of Domain Users. > > If everything is correct, then you need to search AD for the two names > and see what you get. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >