Rowland Penny
2022-Feb-18 13:07 UTC
[Samba] 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."
On Fri, 2022-02-18 at 15:39 +0300, Michael Tokarev via samba wrote:> 18.02.2022 15:32, Peter Eriksson via samba wrote: > > After upgrading our Sambas to 4.15.5 I?m seeing a _lot_ of errors > > in the log files about: > > > > Feb 18 13:30:13 filur01 smbd_audit[17892]: [2022/02/18 > > 13:30:13.204710, 0] > > ../../source3/auth/auth_util.c:1928(check_account) > > Feb 18 13:30:13 filur01 smbd_audit[17892]: check_account: Failed > > to convert SID S-1-5-21-797717765-1715453426-19741283-1903186 to a > > UID (dom_user[AD\iei-mvs-z-1$]) > > This - at least, maybe there are other cases - happens when you have > AD, > idmap backend = ad, and idmap schema_mode = rfc2307, where you used > uidNumber for the unix user id (uid), AND uidNumber attribute is > missing > in your data. > > For this to work, you have to have local users of the same name as > the > AD ones. Which, as I've been told here (without any explanation), > should > not be done.If you look carefully at the 'usernames' posted, they all end with '$'. This means that they are not normal users, they are in fact computers. A computer is a user with an extra objectclass and a different primaryGroupID, so you have two options here, either add a uidNumber to the computers object, or just ignore the log messages. I thought I had explained why you cannot have a local user and a domain user with the same name, but here goes, lets try again. If you do have a user in /etc/passwd and AD with the same name, then depending on how /etc/nsswitch is configured, locally one will be used and one will be ignored. Samba will always attempt to use the one from AD, but if the AD user is unknown to the OS, you will get 'denied' errors. Even if the same username is used locally and in AD, they willbe different users. Rowland
Michael Tokarev
2022-Feb-19 16:59 UTC
[Samba] 4.15.5: Lot's of errors from smbd_audit about "check_account: Failed to convert SID..."
18.02.2022 16:07, Rowland Penny via samba wrote: []> I thought I had explained why you cannot have a local user and a domain > user with the same name, but here goes, lets try again.Nope you did not.> If you do have a user in /etc/passwd and AD with the same name, then > depending on how /etc/nsswitch is configured, locally one will be used > and one will be ignored. Samba will always attempt to use the one from > AD, but if the AD user is unknown to the OS, you will get 'denied' > errors. Even if the same username is used locally and in AD, they willbe different users.Samba *deliberately* (or due to a bug) makes the "two" users (one listed in /etc/passwd and one listed in AD) to be different, and only when doing uid->SID mapping. And the question why it does that is not answered. Thanks, /mjt