samba - Jan 2022 - check_account: Failed to convert SID to a UID

Hi


*smdb, winbindd Version 4.13.14-Ubuntu 20.4.3 LTS *

I am struggling to get a newly installed AD member server to allow access
to its shares. I am seeing this error in the connecting hosts log file:
"check_account: Failed to convert SID
S-1-5-21-4100087049-264025-2419064500-1164
to a UID (dom_user[MYDOM\auser])"

The log.winbindd-idmap file has this error:
Error allocating a new GID
Fatal Error: GID range full!! (max: 7999)

`wbinfo -u` returns a list of users. However `wbinfo -i` gives the
following warning:

Name              :  MYDOM
Alt_Name          : mydom.local
SID               : S-1-5-21-4119587049-2642091325-2419064500
Active Directory  : Yes
Native            : Yes
Primary           : Yes
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user auser

Another worrying sign is that `getent passwd auser` returns nothing.

I thought I'd set-up the server correctly following
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
instructions but perhaps I've missed something.

Can anyone offer any suggestions?
Thanks in advance,
Dermot


=========Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        load printers = No
        log file = /var/log/samba/log.%m
        logging = file
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        panic action = /usr/share/samba/panic-action %d
        realm = MYDOM.LOCAL
        security = ADS
        server role = member server
        server string = %h server (Samba,  Server)
        template shell = /bin/bash
        unix extensions = No
        usershare allow guests = Yes
        winbind use default domain = Yes
        wins server = 192.168.0.134
        workgroup = MYDOM
        idmap config MYDOM.local : range = 100000-999999
        idmap config MYDOM.local : backend = tdb
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        printing = bsd

On Tue, 2022-01-18 at 11:57 +0000, Dermot via samba
wrote:
>  Hi
> 
> 
> *smdb, winbindd Version 4.13.14-Ubuntu 20.4.3 LTS *
> 
> I am struggling to get a newly installed AD member server to allow
> access
> to its shares. I am seeing this error in the connecting hosts log
> file:
> "check_account: Failed to convert SID
> S-1-5-21-4100087049-264025-2419064500-1164
> to a UID (dom_user[MYDOM\auser])"
> 
> The log.winbindd-idmap file has this error:
> Error allocating a new GID
> Fatal Error: GID range full!! (max: 7999)
> 
> `wbinfo -u` returns a list of users. However `wbinfo -i` gives the
> following warning:
> 
> Name              :  MYDOM
> Alt_Name          : mydom.local
> SID               : S-1-5-21-4119587049-2642091325-2419064500
> Active Directory  : Yes
> Native            : Yes
> Primary           : Yes
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user auser
> 
> Another worrying sign is that `getent passwd auser` returns nothing.
> 
> I thought I'd set-up the server correctly following
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> instructions but perhaps I've missed something.
No you haven't set up your smb.conf correctly.
> 
> Can anyone offer any suggestions?
> Thanks in advance,
> Dermot
> 
> 
> =========> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
>         load printers = No
>         log file = /var/log/samba/log.%m
>         logging = file
>         map to guest = Bad User
>         max log size = 1000
>         obey pam restrictions = Yes
>         panic action = /usr/share/samba/panic-action %d
>         realm = MYDOM.LOCAL
>         security = ADS
>         server role = member server
>         server string = %h server (Samba,  Server)
>         template shell = /bin/bash
>         unix extensions = No
>         usershare allow guests = Yes
>         winbind use default domain = Yes
>         wins server = 192.168.0.134
>         workgroup = MYDOM
>         idmap config MYDOM.local : range = 100000-999999
>         idmap config MYDOM.local : backend = tdb
Where, on the page you linked to, does it say to use the REALM and
'tdb' for the main domain ?
>         idmap config * : range = 3000-7999
Guess where all you users and groups are ?

The other question is, you are showing '.local' as your TLD, if this
isn't sanitisation, then why ?

Set your domain lines like this:

        idmap config MYDOM : range = 100000-999999
        idmap config MYDOM : backend = rid

Rowland