Gyrfalcon
2021-Nov-07 14:45 UTC
[Samba] Samba DC: Unable to convert first SID / NT_STATUS_INVALID_SID
On Sunday, November 7th, 2021 at 8:22 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:> You say this is being caused by a Unix domain member, so can we see the > smb.conf from this ?It happens to all of my member servers. They are all configured the same though: ``` [global] workgroup = PYROCUFFLINK realm = PYROCUFFLINK.BLUE security = ads printing = bsd printcap name = /dev/null load printers = no guest account = nobody map to guest = Bad User template homedir = /home/%U template shell = /bin/bash idmap config * : backend = tdb idmap config * : range = 1000000-1000999 idmap config PYROCUFFLINK : backend = ad idmap config PYROCUFFLINK : range = 3000000-3009999 idmap config PYROCUFFLINK : unix_nss_info = yes kerberos method = secrets and keytab winbind nss info = rfc2307 winbind use default domain = yes winbind offline logon = yes winbind refresh tickets = no client ldap sasl wrapping = seal dns proxy = no domain master = no local master = no preferred master = no os level = 0 ``` Using the `ad` idmap backend, so all the user and group accounts that need to log in to these machines have uidNumber/gidNumber attributes, including Domain Users group.
Gyrfalcon
2021-Nov-07 15:35 UTC
[Samba] Samba DC: Unable to convert first SID / NT_STATUS_INVALID_SID
It turns out I missed the step of [synchronizing idmap.ldb][1] from the original DC to the new DC. Once I did that, the errors have gone away and members now work correctly when communicating with the new DC. That does raise a question, though. I plan to decommission the old DC. Once I do that, will the new DC be able to allocate new UID numbers in its own idmap.ldb? I am not sure I understand why sid_to_xid was returning NT_STATUS_NONE_MAPPED instead of just allocating a new UID for computer accounts. [1]: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings