samba - Feb 2022 - 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."

18.02.2022 15:32, Peter Eriksson via samba wrote:
> After upgrading our Sambas to 4.15.5 I?m seeing a _lot_ of errors in the
log files about:
> 
> Feb 18 13:30:13 filur01 smbd_audit[17892]: [2022/02/18 13:30:13.204710,  0]
../../source3/auth/auth_util.c:1928(check_account)
> Feb 18 13:30:13 filur01 smbd_audit[17892]:   check_account: Failed to
convert SID S-1-5-21-797717765-1715453426-19741283-1903186 to a UID
(dom_user[AD\iei-mvs-z-1$])
This - at least, maybe there are other cases - happens when you have AD,
idmap backend = ad, and idmap schema_mode = rfc2307, where you used
uidNumber for the unix user id (uid), AND uidNumber attribute is missing
in your data.

For this to work, you have to have local users of the same name as the
AD ones. Which, as I've been told here (without any explanation), should
not be done.
..
> Things _seem_ to work fine for our users and I can patch away the DBG_ERR
message but I?m curious if this is an indication to something more problematic?
> -                       DBG_ERR("Failed to convert SID %s to a UID
(dom_user[%s])\n",
> +                       DBG_DEBUG("Failed to convert SID %s to a UID
(dom_user[%s])\n",
For my setup I definitely prefer this very message to stay at ERROR level.

Thanks,

/mjt

Am 18.02.22 um 13:39 schrieb Michael Tokarev via samba:
> This - at least, maybe there are other cases - happens when you have AD,
> idmap backend = ad, and idmap schema_mode = rfc2307, where you used
> uidNumber for the unix user id (uid), AND uidNumber attribute is missing
> in your data.
> 
> For this to work, you have to have local users of the same name as the
> AD ones. Which, as I've been told here (without any explanation),
should
> not be done.
You can also give every computer in your AD a UID or use the RID 
backend. But as said in my other post. You can ignore those messages.

Regards

Christian

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

On Fri, 2022-02-18 at 15:39 +0300, Michael Tokarev via samba
wrote:
> 18.02.2022 15:32, Peter Eriksson via samba wrote:
> > After upgrading our Sambas to 4.15.5 I?m seeing a _lot_ of errors
> > in the log files about:
> > 
> > Feb 18 13:30:13 filur01 smbd_audit[17892]: [2022/02/18
> > 13:30:13.204710,  0]
> > ../../source3/auth/auth_util.c:1928(check_account)
> > Feb 18 13:30:13 filur01 smbd_audit[17892]:   check_account: Failed
> > to convert SID S-1-5-21-797717765-1715453426-19741283-1903186 to a
> > UID (dom_user[AD\iei-mvs-z-1$])
> 
> This - at least, maybe there are other cases - happens when you have
> AD,
> idmap backend = ad, and idmap schema_mode = rfc2307, where you used
> uidNumber for the unix user id (uid), AND uidNumber attribute is
> missing
> in your data.
> 
> For this to work, you have to have local users of the same name as
> the
> AD ones. Which, as I've been told here (without any explanation),
> should
> not be done.
If you look carefully at the 'usernames' posted, they all end with
'$'.
This means that they are not normal users, they are in fact computers.
A computer is a user with an extra objectclass and a different
primaryGroupID, so you have two options here, either add a uidNumber to
the computers object, or just ignore the log messages.

I thought I had explained why you cannot have a local user and a domain
user with the same name, but here goes, lets try again.

If you do have a user in /etc/passwd and AD with the same name, then
depending on how /etc/nsswitch is configured, locally one will be used
and one will be ignored. Samba will always attempt to use the one from
AD, but if the AD user is unknown to the OS, you will get 'denied'
errors. Even if the same username is used locally and in AD, they willbe
different users.

Rowland

> You can also give every computer in your AD a UID or use the RID backend.
But as said in my other post. You can ignore those messages.

Yeah, I figured it was about the computer accounts.

> ..
>> Things _seem_ to work fine for our users and I can patch away the
DBG_ERR message but I?m curious if this is an indication to something more
problematic?
>> -                       DBG_ERR("Failed to convert SID %s to a UID
(dom_user[%s])\n",
>> +                       DBG_DEBUG("Failed to convert SID %s to a
UID (dom_user[%s])\n",
> 
> For my setup I definitely prefer this very message to stay at ERROR level.
Yeah, I probably would have ignored them too if it wasn?t for the little problem
that they where absolutely bombarding my console with errors - since one of the
servers typically have around 1600-2000 computers concurrently connected at any
one time during daytime. And with the console on a serial (IPMI) port the amount
of errors caused some serial kernel buffers to fill up, and eventually the
machine locked up?

(I?ve now changed the syslog config to not send LOG_ERR to the console and will
probably add my little patch to the small list of patches I always apply to new
Samba releases anyway. Might modify it to print at ERR if non-machine principals
though :-)

Adding uidNumbers to all our machine accounts is something we?ve been thinking
about doing too but that?ll have to wait for some other day.

- Peter