On 20/06/2023 14:11, Ingo Asche via samba wrote:> Hi All, > > the Synology support is claiming this bug is the reason for the access > problems via hostname (Kerberos): > https://bugzilla.samba.org/show_bug.cgi?id=14213 > > These log entries in log.wb-ADNAME are given as evidence: > > ../../source3/winbindd/winbindd_msrpc.c:307: [2023/06/14 > 22:13:42.913399, winbind 3, pid=10150] msrpc_sid_to_name > msrpc_sid_to_name: S-1-18-1 f?r Dom?ne ADNAME > ../../source3/winbindd/winbindd_msrpc.c:319: [2023/06/14 > 22:13:42.914370, winbind 2, pid=10150] msrpc_sid_to_name > msrpc_sid_to_name: Die Suche nach sids ist fehlgeschlagen: > NT_STATUS_INVALID_SID > ../../source3/winbindd/winbindd_msrpc.c:307: [2023/06/14 > 22:13:42.914415, winbind 3, pid=10150] msrpc_sid_to_name > msrpc_sid_to_name: S-1-18-1 f?r Dom?ne ADNAME > ../../source3/winbindd/winbindd_msrpc.c:319: [2023/06/14 > 22:13:42.915040, winbind 2, pid=10150] msrpc_sid_to_name > msrpc_sid_to_name: Die Suche nach sids ist fehlgeschlagen: > NT_STATUS_INVALID_SID > > ("Die Suche nach sids ist fehlgeschlagen" translates "The search for > sids failed") > > They ask me to patch - I think - my DCs.Patch what, with what ? Do they not specify or provide a patch ? The bug report you provided a link to is still ongoing, it doesn't seem to have come to a conclusion.> > This only happens on the two Synos which have their interpretation of > Samba 4.15 installed. My member server (4.17.8) works without this > problem. I ask myself, is that a problem in my domain or has this to be > done on the machines which have the problem. > > I even created a member server with 4.15 for testing and it works also > without such problems. Also an old Synology DS413 with Samba 4.4.18 > (don't laugh) works perfectly, too.So, it is only the synology machines that have the problem, other machines against your DC's do not have the problem. To me, that sounds like the problem lies on the synology machines, or am I missing something (which wouldn't be the first time).> > So I would think this patch has to be installed on the machines with the > error.Well, it sounds that way to me, but there in lies another possible problem. If you do have to patch the synology machines, this will entail patching and building synology's version of Samba, have they supplied you with the source code ? I personally wouldn't want to patch my DC's to get a synology product to work correctly, if doing so could break the rest of my domain. I could be extremely wrong here, but it makes more sense to me, to fix the 'broken' thing, rather than 'unbroken' things. I would go back to synology and get them to clarify just what they would like you to do and how you should do it. Rowland
Hi Rowland, to be clear, I'm completely your opinion. They had a running 4.15.9(-0619, their own build number), which was a Beta, and the released version (-0632) didn't worked. So for me it's obvious, too. I can bring the released version to run with a library from their beta version: libidmap-samba4.so. The reason for this as they wrote: "A key difference between SMB packets 0619 and 0632 is whether the ID map needs to verify the SID over the network before converting it to a UID/GID.Version 0619 retains the old Samba method of not doing network polling, but from version 0624 onwards network polling is done." (Translated from German) Whatever they meant with "old Samba method"> Patch what, with what ? > Do they not specify or provide a patch ? > The bug report you provided a link to is still ongoing, it doesn't > seem to have come to a conclusion.They seem to believe the attachments in the bug report are patches which you can install.> So, it is only the synology machines that have the problem, other > machines against your DC's do not have the problem. To me, that sounds > like the problem lies on the synology machines, or am I missing > something (which wouldn't be the first time).I agree. I have three of them. The oldest one with Samba 4.4.18 makes no problems. Their interpretation of Samba 4.15.x makes the problem, except for the beta.> Well, it sounds that way to me, but there in lies another possible > problem. If you do have to patch the synology machines, this will > entail patching and building synology's version of Samba, have they > supplied you with the source code ?I wanted only to know based on the bug report, is it something, which has to fixed on the DCs or the device which has shows the mentioned bug.> I personally wouldn't want to patch my DC's to get a synology product > to work correctly, if doing so could break the rest of my domain. > > I could be extremely wrong here, but it makes more sense to me, to fix > the 'broken' thing, rather than 'unbroken' things.Again, agreed. I think, you're right here, too...> I would go back to synology and get them to clarify just what they > would like you to do and how you should do it.That I will, I just hoped for some knowledge that will strengthen my arguments.> > RowlandAs always, thanks for your answer... -- Regards Ingo https://github.com/WAdama