samba - Jun 2023 - Failed to convert SID to a UID

On 10/06/2023 15:07, Dale Renton via samba wrote:
> On Sun, Jun 4, 2023 at 11:56?AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>> Not really, wbinfo reads directly from AD, getent goes via nsswitch.
>>
>> For getent to work using the 'ad' idmap backend, a few things
have to
>> fall into place:
>>
>> You have to set the correct relevant lines in smb.conf.
>>
>> You have have to give the Domain Users group a gidNUmber, or if using
>> 'idmap config WORKGROUP : unix_primary_group = yes', that the
relevant
>> group has a gidNumber.
>>
>> You give the user a uidNumber and if using 'unix_primary_group'
the
>> relevant groups gidNumber
>>
>> All Numbers used for the uidNumber & gidNumber attributes must be
inside
>> the range you set for the 'WORKGROUP' in smb.conf
>>
>> Usually when a user doesn't get a UID, one of the above isn't
correct.
>>
> 
> 
> I think I have all the settings configured properly, plus it works with
> 4.16, but not 4.17.  4.17 is working for Christian though.
> 
> smb.conf
> 
> [global]
>      security = ads
>      workgroup = EXAMPLEAD
>      realm = AD.EXAMPLE.COM
>      local master = no
>      idmap config *:backend = tdb
>      idmap config *:range = 100000-199999
>      idmap config EXAMPLEAD:backend = ad
>      idmap config EXAMPLEAD:schema_mode = rfc2307
>      idmap config EXAMPLEAD:range = 512-99999
>      idmap config EXAMPLEAD:unix_nss_info = yes
>      idmap config EXAMPLEAD:unix_primary_group = yes
>      winbind use default domain = yes
>      winbind refresh tickets = yes
>      winbind offline logon = yes
>      winbind nss info = rfc2307
>      kerberos method = system keytab
>      dedicated keytab file = /etc/krb5.keytab
>      create krb5 conf = no
>      map to guest = Bad User
> 
> 
> samba-tool user show dale
>    primaryGroupID: 513
>    uid: dale
>    uidNumber: 10000
>    gidNumber: 513
> 
> samba-tool group show "Domain Users"
>    gidNumber: 513
I think your 'EXAMPLEAD' range might be the problem, is this historic 
(have you got files & directories owned by these numbers) or is this a 
new set up ?

If it is a new setup, try raising the range start (and any corresponding 
uidNumber & gidNumber attributes) to 10000 and see if that works

Or set 'min domain uid = 0' in your smb.conf

Try reading this:

https://www.samba.org/samba/security/CVE-2020-25717.html

Rowland

On Sat, Jun 10, 2023 at 11:21?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> I think your 'EXAMPLEAD' range might be the problem, is this
historic
> (have you got files & directories owned by these numbers) or is this a
> new set up ?
yes, historic, we do have files and directories owned by these numbers

> Or set 'min domain uid = 0' in your smb.conf
I just tried this setting, unfortunately it made no difference.


Thanks,
Dale