samba - Apr 2018 - Could not convert sid: NT_STATUS_NO_SUCH_USER

Il 21/02/18 16:20, L.P.H. van Belle ha scritto:
> Hai, 
> 
> Thank you for having trust in my packages.. :-) 
> Now if you use my package, i suggest, do read the howto's also... 
> All you need for a good setup on debian stretch is there.
> if anyone find/see's improvements, please tell me... Or change it on
github, thats why its there.
> 
> First is this an upgraded domain? Or a new domain?
> 
> What does `getent passwd username` tell you. 
> Same for `id username`
> 
> I would try the following. 
> Run: net cache flush and try again, if that does not work then check then
next..
> 
> 
> 
> Review your config base on this member howto. 
>
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt
> That is a 100% working setup for stretch, if you did use it, then you
missed something.
> .. You are missing some things in your smb.conf.. 
> 
> Like (optional)
>     	idmap config NTDOM : unix_nss_info = yes
> 	
> 	# set this one and run net cache flush again. 
> 
> And 
> 	# User Administrator workaround, without it you are unable to set
privileges
> 	# !Note: When using the AD ID mapping back end, do not set the uidNumber
attribute for the domain administrator account.
> 	# If the account has the attribute set, the value overrides the local UID
0 of the root user and thus the mapping fails.
> 	username map = /etc/samba/samba_usermapping
well, I have been working on this issue quite a bit, lately.

The working recipe for me was:
1) configure sssd to fetch users from ad;
2) configure winbind to fetch sid/uid and sid/gid mappings from nss
(with idmap_nss);
3) provide group 'domain users' with a valid gidNumber: it looks the
prescription from idmap_ad "Winbind will only map users that have a
uidNumber and whose primary group have a gidNumber attribute set." holds
for idmap_nss as well.

If you plan to use sssd on Debian, beware of:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772695 (workaround:
compile samba by your own).

ciao,

Francesco

On Tue, 3 Apr 2018 10:51:09 +0200
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> Il 21/02/18 16:20, L.P.H. van Belle ha scritto:
> > Hai, 
> > 
> > Thank you for having trust in my packages.. :-) 
> > Now if you use my package, i suggest, do read the howto's also... 
> > All you need for a good setup on debian stretch is there.
> > if anyone find/see's improvements, please tell me... Or change it
> > on github, thats why its there.
> > 
> > First is this an upgraded domain? Or a new domain?
> > 
> > What does `getent passwd username` tell you. 
> > Same for `id username`
> > 
> > I would try the following. 
> > Run: net cache flush and try again, if that does not work then
> > check then next..
> > 
> > 
> > 
> > Review your config base on this member howto. 
> >
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt
> > That is a 100% working setup for stretch, if you did use it, then
> > you missed something. .. You are missing some things in your
> > smb.conf.. 
> > 
> > Like (optional)
> >     	idmap config NTDOM : unix_nss_info = yes
> > 	
> > 	# set this one and run net cache flush again. 
> > 
> > And 
> > 	# User Administrator workaround, without it you are unable
> > to set privileges # !Note: When using the AD ID mapping back end,
> > do not set the uidNumber attribute for the domain administrator
> > account. # If the account has the attribute set, the value
> > overrides the local UID 0 of the root user and thus the mapping
> > fails. username map = /etc/samba/samba_usermapping
> 
> well, I have been working on this issue quite a bit, lately.
> 
> The working recipe for me was:
> 1) configure sssd to fetch users from ad;
winbind will do this as well, provided the correct info is in AD.
> 2) configure winbind to fetch sid/uid and sid/gid mappings from nss
> (with idmap_nss);
Do you have users & groups in /etc/passwd & /etc/group that are also in
AD, I ask this because idmap_nss maps Unix users & groups (i.e. those
in /etc/passwd & /etc/group) to users & groups in AD.
> 3) provide group 'domain users' with a valid gidNumber:
And that was your problem all along, Domain Users must have a gidnumber
attribute if you want to use the winbind 'ad' backend.
> it looks the
> prescription from idmap_ad "Winbind will only map users that have a
> uidNumber and whose primary group have a gidNumber attribute set."
> holds for idmap_nss as well.
> 
> If you plan to use sssd on Debian, beware of:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772695 (workaround:
> compile samba by your own).
> 
That is a 3 year old bug report, a lot has changed in Samba since then,
mind you I wouldn't use sssd anyway, you do not need it.

Rowland

>> well, I have been working on this issue quite a bit, lately.
>>
>> The working recipe for me was:
>> 1) configure sssd to fetch users from ad;
> 
> winbind will do this as well, provided the correct info is in AD.
yes, thank you,
> 
>> 2) configure winbind to fetch sid/uid and sid/gid mappings from nss
>> (with idmap_nss);
> 
> Do you have users & groups in /etc/passwd & /etc/group that are
also in
> AD, I ask this because idmap_nss maps Unix users & groups (i.e. those
> in /etc/passwd & /etc/group) to users & groups in AD.
Just one of them. There is a single unix user from /etc/passwd which is
mirrored in AD.
> 
>> 3) provide group 'domain users' with a valid gidNumber:
> 
> And that was your problem all along, Domain Users must have a gidnumber
> attribute if you want to use the winbind 'ad' backend.
yes, checked with idmap_ad and it works now
> 
>> it looks the
>> prescription from idmap_ad "Winbind will only map users that have
a
>> uidNumber and whose primary group have a gidNumber attribute set."
>> holds for idmap_nss as well.
>>
>> If you plan to use sssd on Debian, beware of:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772695 (workaround:
>> compile samba by your own).
>>
> 
> That is a 3 year old bug report, a lot has changed in Samba since then,
> mind you I wouldn't use sssd anyway, you do not need it.
your work is great. By the way: with samba-4.8.0 I liked a lot that a
working winbindd is required.

Till now we leveraged the fact we have all users stemming from a single
OpenLDAP server either syncrepl-ed to the samba NT domains or replicated
via lsc to the samba AD domains. When linux servers got nss work with
OpenLDAP, uidnumbers magically matched with samba and it took me often
time to recall how it was possible, because nothing was explicit.

Now we have to run winbind and either through idmap_nss or idmap_ad
configuration files clearly explain what it is happening.

thank you,

Francesco