Geoff Bland
2022-Jul-27 21:37 UTC
[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.
Thanks. I have set up Samba as you have detailed on Unraid and all now seems to be working. All existing access rights got messed up as expected and so I had to re-apply all those. With your advice and a lot of reading up on this - all seems good now. All details also posted as an issue on the Unraid bug report forum so hopefully it will now also be fixed at source.? Once again thanks for your help.
Rowland Penny
2022-Jul-29 18:10 UTC
[Samba] "Failed to convert SID" Errors for Some Users on UNRAID with Windows AD Domain.
On Wed, 2022-07-27 at 21:37 +0000, Geoff Bland via samba wrote:> Thanks. I have set up Samba as you have detailed on Unraid and all > now seems to be working. All existing access rights got messed up as > expected and so I had to re-apply all those. With your advice and a > lot of reading up on this - all seems good now. All details also > posted as an issue on the Unraid bug report forum so hopefully it > will now also be fixed at source. Once again thanks for your help.Just a slight update on this to try and explain how the 'rid' idmap backend works. All Domain users, groups and computers have a SID. The last part of the 'SID' is called the 'RID' and these are all unique and are set when the object is created and normal users etc usually start at 1000 (though this will be different depending on which DC they are created on). You cannot rely on the RID to identify what the object is, '1000' could be a user, '1001' could be a group, but, if that is the case, there will never be a user with the RID '1001'. To put it another way, RID's are issued consecutively to the next object, no matter what it is. Now you know how Windows issues ID's, how does Samba map them to Unix users and groups ? This can be done by winbind and the 'rid' idmap backend (there are other backends). If you do use the 'rid' idmap backend, it uses this formula: ID = RID + LOW_RANGE_ID 'ID' is the required Unix ID 'RID' is the Windows user or group ID 'LOW_RANGE_ID' is the number set in smb.conf (which is '10000' in the example I supplied). So, if the RID was '1000', the calculation would become: ID = 1000 + 10000 So the 'ID' is '11000' and always will be, even on other Samba fileservers, provided you use the same basic smb.conf Rowland