samba - Jul 2022 - "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.

Thanks for the offer to check out the Unraid SMB configuration files.
As requested, any values in <>s have been replaced with tokens rather the
real values.
Contents of? /etc/samba/smb.conf (it is indented like that in the file)
[global]? ? ? ? # configurable identification? ? ? ? include =
/etc/samba/smb-names.conf
? ? ? ? # log stuff only to syslog? ? ? ? logging = syslog at 0
? ? ? ? # we don't do printers? ? ? ? show add printer wizard = No? ? ? ?
disable spoolss = Yes? ? ? ? load printers = No? ? ? ? printing = bsd? ? ? ?
printcap name = /dev/null
? ? ? ? # disable aio by default? ? ? ? aio read size = 0? ? ? ? aio write size
= 0
? ? ? ? # misc.? ? ? ? invalid users = root? ? ? ? unix extensions = No? ? ? ?
wide links = Yes? ? ? ? use sendfile = Yes
? ? ? ? # ease upgrades from Samba 3.6? ? ? ? acl allow execute always = Yes? ?
? ? # permit NTLMv1 authentication? ? ? ? ntlm auth = Yes
? ? ? ? # hook for user-defined samba config? ? ? ? include =
/boot/config/smb-extra.conf
? ? ? ? # auto-configured shares? ? ? ? include = /etc/samba/smb-shares.conf
Contents of /etc/samba/smb-names.conf
# Generated namesnetbios name = <UNRAIDHOSTNAME>server string = <Unraid
Server Description>hide dot files = noserver multi channel support =
nomulticast dns register = Nodisable netbios = Noserver min protocol = NT1local
master = yesos level = 100security = ADSworkgroup = <SHORTDOMAINNAME>realm
= <FQDOMAINNAME>null passwords = Yesidmap config * : backend = hashidmap
config * : range = 10000-4000000000winbind use default domain = Yesldap ssl =
Nont acl support = Yesacl map full control = Yesacl group control = Yesinherit
acls = Yesinherit permissions = Yesmap acl inherit = Yesdos filemode = Yesstore
dos attributes = Yesmap archive = Nomap hidden = Nomap system = Nomap readonly =
No
Contents of /boot/config/smb-extra.conf (looks like any "extra
configuration" from the Unraid Settings page just gets dumped in here, you
can see the lines I added here):
[global]idmap config * : backend = tdbidmap config * : range =
1000-4000000000#unassigned_devices_start#Unassigned devices share includes?
?include = /tmp/unassigned.devices/smb-settings.conf#unassigned_devices_end
The file /tmp/unassigned.devices/smb-settings.conf is empty.

Contents of /etc/samba/smb-shares.conf is just a list of Unraid shares that are
exposed over SMB, for example;
[LanCache]? ? ? ? path = /mnt/user/LanCache? ? ? ? comment = Cache for downloads
from Steam, Origin, Epic, Frontier, Microsoft etc.? ? ? ? browseable = yes? ? ?
? case sensitive = auto? ? ? ? preserve case = yes? ? ? ? short preserve case =
yes? ? ? ? writeable = yes[MySQL]? ? ? ? path = /mnt/user/MySQL? ? ? ? comment =
MySQL Database Backups? ? ? ? browseable = yes? ? ? ? case sensitive = auto? ? ?
? preserve case = yes? ? ? ? short preserve case = yes? ? ? ? writeable =
yesetc...

On Mon, 2022-07-25 at 15:46 +0000, Geoff Bland via samba
wrote:
> Thanks for the offer to check out the Unraid SMB configuration files.
> As requested, any values in <>s have been replaced with tokens rather
> the real values.
> Contents of  /etc/samba/smb.conf (it is indented like that in the
> file)
> [global]        # configurable identification        include >
/etc/samba/smb-names.conf
>         # log stuff only to syslog        logging = syslog at 0
>         # we don't do printers        show add printer wizard = No   
>     disable spoolss = Yes        load printers = No        printing >
bsd        printcap name = /dev/null
>         # disable aio by default        aio read size = 0        aio
> write size = 0
>         # misc.        invalid users = root        unix extensions > No 
wide links = Yes        use sendfile = Yes
>         # ease upgrades from Samba 3.6        acl allow execute
> always = Yes        # permit NTLMv1 authentication        ntlm auth >
Yes
>         # hook for user-defined samba config        include >
/boot/config/smb-extra.conf
>         # auto-configured shares        include = /etc/samba/smb-
> shares.conf Contents of /etc/samba/smb-names.conf
> # Generated namesnetbios name = <UNRAIDHOSTNAME>server string >
<Unraid Server Description>hide dot files = noserver multi channel
> support = nomulticast dns register = Nodisable netbios = Noserver min
> protocol = NT1local master = yesos level = 100security = ADSworkgroup
> = <SHORTDOMAINNAME>realm = <FQDOMAINNAME>null passwords =
Yesidmap
> config * : backend = hashidmap config * : range = 10000-
> 4000000000winbind use default domain = Yesldap ssl = Nont acl support
> = Yesacl map full control = Yesacl group control = Yesinherit acls >
Yesinherit permissions = Yesmap acl inherit = Yesdos filemode > Yesstore dos
attributes = Yesmap archive = Nomap hidden = Nomap
> system = Nomap readonly = No
> Contents of /boot/config/smb-extra.conf (looks like any "extra
> configuration" from the Unraid Settings page just gets dumped in
> here, you can see the lines I added here):
> [global]idmap config * : backend = tdbidmap config * : range = 1000-
> 4000000000#unassigned_devices_start#Unassigned devices share
> includes   include = /tmp/unassigned.devices/smb-
> settings.conf#unassigned_devices_end
> The file /tmp/unassigned.devices/smb-settings.conf is empty.
> 
> Contents of /etc/samba/smb-shares.conf is just a list of Unraid
> shares that are exposed over SMB, for example;
> [LanCache]        path = /mnt/user/LanCache        comment = Cache
> for downloads from Steam, Origin, Epic, Frontier, Microsoft etc.     
>   browseable = yes        case sensitive = auto        preserve case
> = yes        short preserve case = yes        writeable = yes[MySQL] 
>       path = /mnt/user/MySQL        comment = MySQL Database Backups 
>       browseable = yes        case sensitive = auto        preserve
> case = yes        short preserve case = yes        writeable > yesetc...
There are a lot of default settings and a few that I wouldn't set, but
nothing really drastic. However, the 'idmap config' are another thing.
The '*' is the default domain and is meant for the BUILTIN users &
groups and anything outside the main 'DOMAIN'.

The 'idmap config' lines are set like this:

first is this line:
        include = /etc/samba/smb-names.conf

Which contains these lines:

	idmap config * : backend = hash
	idmap config * : range = 10000-4000000000

Lower down is this:
        include = /boot/config/smb-extra.conf

Which contains these lines:

	idmap config * : backend = tdb
	idmap config * : range = 1000-4000000000

The latter will be used because the last version of a parameter wins.

The problem is that there are no 'DOMAIN' idmap config lines, I would
expect something like these:

	idmap config * : backend = tdb
	idmap config * : range = 3000-7999
	idmap config <SHORTDOMAINNAME> : backend = rid
	idmap config <SHORTDOMAINNAME> : range = 10000-4000000000

The other problem is that there is no way to get the ID's that you
started with.

Rowland