samba - May 2022 - check_account: Failed to convert SID to a UID

Hi there,
get this error message when accessing a share.
# check_account: Failed to find local account with UID 663 for SID
S-1-5-21-3855358086-4131983242-2739128174-31637 (dom_user

I have a SLES 15 SP3 with this Samba Config.
[global]
        workgroup = TEST
        realm = TEST.LOCAL
        security = ADS
        preferred master = no
        encrypt passwords = yes
        log level = 0
        log file = /var/log/samba/%m
        max log size = 100
        max open files = 8000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        idmap uid = 600-20000
        idmap gid = 600-20000
        template homedir = /home/%D/%U
        usershare allow guests = No
        winbind refresh tickets = yes
        template shell = /bin/bash
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        username map = /etc/samba/mapfile

        client min protocol = SMB2
        client max protocol = SMB3

[inb]
        comment = Inbetriebnahme
        path = /u1/inb
        valid users = "@TEST.LOCAL\Domain Users"
        write list = "@TEST.LOCAL\FS_SWLIEF_inb_RWXD",
"@TEST.LOCAL\Domain Admins", "@TEST.LOCAL\hydadm"
        force group = "mpdv inb"
        writeable = yes
        #read only = yes
        force create mode = 0777
        create mask = 0777
        directory mask = 0777
        force directory mode = 0777
        access based share enum = yes
        hide unreadable = yes

/etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind

a "getent group / user" works correctly even a "wbinfo -i
testuser" without error.
At first sight everything seems OK.

Does anyone have any idea what this could be ?
# check_account: Failed to find local account with UID 663 for SID
S-1-5-21-3855358086-4131983242-2739128174-31637 (dom_user


Thanks for any help
Stefan Sabolowitsch

On Mon, 2022-05-09 at 14:05 +0000, Sabolowitsch, Stefan via samba
wrote:
> Hi there,
> get this error message when accessing a share.
> # check_account: Failed to find local account with UID 663 for SID S-
> 1-5-21-3855358086-4131983242-2739128174-31637 (dom_user
> 
> I have a SLES 15 SP3 with this Samba Config.
> [global]
>         workgroup = TEST
>         realm = TEST.LOCAL
>         security = ADS
>         preferred master = no
>         encrypt passwords = yes
>         log level = 0
>         log file = /var/log/samba/%m
>         max log size = 100
>         max open files = 8000
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind nested groups = Yes
>         idmap uid = 600-20000
>         idmap gid = 600-20000
>         template homedir = /home/%D/%U
>         usershare allow guests = No
>         winbind refresh tickets = yes
>         template shell = /bin/bash
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>         username map = /etc/samba/mapfile
> 
>         client min protocol = SMB2
>         client max protocol = SMB3
> 
You have quite a few default settings, a couple of un-required lines
(the 'enum' ones) and two deprecated (for many years) lines:

        idmap uid = 600-20000
        idmap gid = 600-20000

These have been replaced the 'idmap config' lines, at present
everything is going into the default '*' domain, you should have lines
similar to these:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-999999

Though yours may need a different idmap backend for TEST and different
ranges (NOTE: the ranges must be different and not overlap.

What is in the mapfile ?
You may need to add 'min domain uid = 0' to the 'global' part of
your
smb.conf

Rowland