samba - Dec 2022 - Contingency server permission error

Dear all,

I have a file server (domain member) running Version 4.9.5-Debian for a good few
year now. 3 DCs running samba 4.17. No issues whatsoever except for these errors
in logs: (192.168.0.9.log)

[2022/12/10 11:17:06.937222,??0] ../source3/auth/auth_util.c:1897(check_account)
??check_account: Failed to convert SID
S-1-5-21-2152908145-95474353-1514027631-6608 to a UID (dom_user[MAD\itpc01$])

System seems to just work fine.

If you try

#wbinfo --sid-to-uid S-1-5-21-2152908145-95474353-1514027631-6608
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2152908145-95474353-1514027631-6608 to uid


I am not sure if this is very important or not. All is working just fine.

smb.conf is:

[global]
? ? ? ?security = ADS
? ? ? ?workgroup = MAD
? ? ? ?realm = MAD.MATER.INT
? ? ? ?netbios name = SERVER
? ? ? ?log file = /var/log/samba/%m.log

# To enable Group Policy application in winbind,
	apply group policies = yes

# Configure Samba to Work Better with Mac OS X
	min protocol = SMB2
	ea support = yes
	vfs objects = fruit streams_xattr
	fruit:aapl = yes
	fruit:metadata = stream
	fruit:model = RackMac
	fruit:posix_rename = yes
	fruit:veto_appledouble = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:delete_empty_adfiles = yes

? ? ? ?# Default ID mapping configuration for local BUILTIN accounts

	idmap config * : backend = tdb
	idmap config * : range = 3000-7999

	# idmap config for the MAD domain

	idmap config MAD:backend = ad
	idmap config MAD:schema_mode = rfc2307
	idmap config MAD:range = 10000-999999

	# winbind config:

	winbind nss info = rfc2307
	winbind use default domain = yes
#	winbind enum users = yes
#	winbind enum groups = yes

	# renew the kerberos ticket

	winbind refresh tickets = Yes
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
#	username map = /etc/samba/user.map

	# To configure shares using extended access control lists (ACL)
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

	# Veto Files
?? ? ? ?veto files =
/Thumbs.db/.DS_Store/._.DS_Store/.com.apple*/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at
__desc/:2e*/$
?? ? ? ?delete veto files = yes

[personales]
	path = /home/users/
	read only = no
	hide unreadable = yes
	hide unwriteable files = yes
#	browseable = no

[shares]
	path = /home2/shares/
	read only = no
	hide unreadable = yes
	hide unwriteable files = yes



Any ideas on why this errors are showing up ?

Thanks,


LP

On 10/12/2022 10:52, Luis Peromarta via samba wrote:
> Dear all,
> 
> I have a file server (domain member) running Version 4.9.5-Debian for a
good few year now. 3 DCs running samba 4.17. No issues whatsoever except for
these errors in logs: (192.168.0.9.log)
> 
> [2022/12/10 11:17:06.937222,??0]
../source3/auth/auth_util.c:1897(check_account)
>  ??check_account: Failed to convert SID
S-1-5-21-2152908145-95474353-1514027631-6608 to a UID (dom_user[MAD\itpc01$])
> 
> System seems to just work fine.
> 
> If you try
> 
> #wbinfo --sid-to-uid S-1-5-21-2152908145-95474353-1514027631-6608
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-2152908145-95474353-1514027631-6608 to uid
> 
> 
> I am not sure if this is very important or not. All is working just fine.
> 
> smb.conf is:
> 
> [global]
>  ? ? ? ?security = ADS
>  ? ? ? ?workgroup = MAD
>  ? ? ? ?realm = MAD.MATER.INT
>  ? ? ? ?netbios name = SERVER
>  ? ? ? ?log file = /var/log/samba/%m.log
> 
> # To enable Group Policy application in winbind,
> 	apply group policies = yes
> 
> # Configure Samba to Work Better with Mac OS X
> 	min protocol = SMB2
> 	ea support = yes
> 	vfs objects = fruit streams_xattr
> 	fruit:aapl = yes
> 	fruit:metadata = stream
> 	fruit:model = RackMac
> 	fruit:posix_rename = yes
> 	fruit:veto_appledouble = yes
> 	fruit:wipe_intentionally_left_blank_rfork = yes
> 	fruit:delete_empty_adfiles = yes
> 
>  ? ? ? ?# Default ID mapping configuration for local BUILTIN accounts
> 
> 	idmap config * : backend = tdb
> 	idmap config * : range = 3000-7999
> 
> 	# idmap config for the MAD domain
> 
> 	idmap config MAD:backend = ad
> 	idmap config MAD:schema_mode = rfc2307
> 	idmap config MAD:range = 10000-999999
> 
> 	# winbind config:
> 
> 	winbind nss info = rfc2307
> 	winbind use default domain = yes
> #	winbind enum users = yes
> #	winbind enum groups = yes
> 
> 	# renew the kerberos ticket
> 
> 	winbind refresh tickets = Yes
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> #	username map = /etc/samba/user.map
> 
> 	# To configure shares using extended access control lists (ACL)
> 	vfs objects = acl_xattr
> 	map acl inherit = yes
> 	store dos attributes = yes
> 
> 	# Veto Files
>  ?? ? ? ?veto files =
/Thumbs.db/.DS_Store/._.DS_Store/.com.apple*/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at
__desc/:2e*/$
>  ?? ? ? ?delete veto files = yes
> 
> [personales]
> 	path = /home/users/
> 	read only = no
> 	hide unreadable = yes
> 	hide unwriteable files = yes
> #	browseable = no
> 
> [shares]
> 	path = /home2/shares/
> 	read only = no
> 	hide unreadable = yes
> 	hide unwriteable files = yes
> 
> 
> 
> Any ideas on why this errors are showing up ?
> 
Yes.

Oh, you mean, 'will someone explain why this is happening' :-D

You are using the 'ad' backend and your user 'itpc01$' is a
special
user, this is because it is a computer (the only real difference between 
a user and a computer in AD, is one objectclass 'objectclass=computer').
You cannot get a UID for various reasons, the most obvious one is that 
you probably haven't given your computers a uidNumber attribute.

There is nothing to worry about.

Rowland