OK, interesting debate, but I still can't convert to SID.
I still get messages such as this one:
AUTH-PAM: BACKGROUND: my_conv[0] query='Cannot convert group GROUP to
sid, please contact your administrator to see if group GROUP is
valid.' style=4
# wbinfo -t
checking the trust secret for domain DOMAIN via RPC calls succeeded
# wbinfo --ping-dc
checking the NETLOGON for domain[DOMAIN] dc connection to
"dc02.domain.org" succeeded
# net ads info
LDAP server: 10.0.1.5
LDAP server name: dc02.domain.org
Realm: DOMAIN.ORG
Bind Path: dc=DOMAIN,dc=ORG
LDAP port: 389
Server time: Tue, 16 Jun 2020 12:41:24 CEST
KDC server: 10.0.1.5
Server time offset: 0
Last machine account password change: Mon, 15 Jun 2020 11:37:02 CEST
This is my smb.conf file now:
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.ORG
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
; remove when in production:
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
server string = SMB1
pam password change = yes
obey pam restrictions = yes
dos charset = 850
unix charset = ISO8859-1
I shouldn't define "idmap gid = " and "idmap uid = "
here, right?
I'm not sure what to try next.
Vieri