samba - Aug 2023 - Could not convert SID S-0-0, error is NT_STATUS_NONE_MAPPED

Hi,


I have the same issue with "Could not convert SID S-0-0..." on 2 out
of
3 DCs. These messages _are_ cluttering syslog: 54 000 such messages with
severity "Warning" in the last 21 1/2 hours .

All 3 DCs are on samba 4.17.9 with identical configurations.

The DC that does not have the problem runs on Debian bullseye, using
bullseye-backports packages. It exists since many months, more or less
since Michael Tokarev provides the bullseye-packport packages, and has
repeatedly been updated since then.

The affected DCs run on Debian bookworm, using regular bookworm
packages. They were freshly joined after their equally named
predecessors had been cleanly demoted, and they had their idmap.ldb
taken from the preexisting DC.

My /etc/samba/smb.conf:

# Global parameters
[global]
 ??????? netbios name = DC2
 ??????? realm = AD.MYDOMAIN.TLD
 ??????? server role = active directory domain controller
 ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
 ??????? workgroup = MYDOMAIN
 ??????? idmap_ldb:use rfc2307? = yes

logging = syslog at 3
log level = 1
printing = BSD
printcap name = /dev/null
load printers = no
tls ca file = /usr/local/share/ca-certificates/MydomainCA1.crt
username map = /etc/samba/user.map
disable spoolss = yes

[sysvol]
 ??????? path = /var/lib/samba/sysvol
 ??????? read only = No

[netlogon]
 ??????? path = /var/lib/samba/sysvol/ad.mydomain.tld/scripts
 ??????? read only = No


Any clue anyone?

regards,
Norbert

On 25.07.2023 13:21, Peter Eriksson via samba wrote:
> In my never-ending quest of removing clutter from the log files, I notice
that we in /var/log/messages get a lot of:
>
>> Jul 25 13:08:30 filur00 winbindd[88603]: [2023/07/25 13:08:30.756462, 
1] ../../source3/winbindd/winbindd_lookupname.c:122(winbindd_lookupname_recv)
>> Jul 25 13:08:30 filur00 winbindd[88603]:   Could not convert SID S-0-0,
error is NT_STATUS_NONE_MAPPED
> Seems to happen when our test-user logs in.
>
> I can just remove that log line in the source code, but I?m curious if
there is something else I can do to silence it. I was thinking it was related to
directories owned by the ?root? user (which doesn?t have a mapping to a Windows
user but I?ve tried to get rid of the root-owned directories in the path for the
test user but it doesn?t seem to help much. Any ideas?
>
>
> Another error in the syslog messages file is:
>
> Jul 25 13:16:19 filur00 samba-dcerpcd[43617]: [2023/07/25 13:16:19.901490, 
1] ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> Jul 25 13:16:19 filur00 samba-dcerpcd[43617]:   rpc_pipe_open_ncalrpc:
connect(/liu/var/samba/ncalrpc/EPMAPPER) failed: No such file or directory
>
> This only happens once when starting Samba but it still annoys me. There is
no EPMAPPER object in that directory, the closest that looks relevant is:
>
>    /liu/var/samba/ncalrpc/np/epmapper
>
> Is that supposed to point to the same thing?
>
>
> Samba 4.18.5, FreeBSD 13.2
>
> - Peter
>
>

Hi all!
Both my DC's running 4.17.6 on Debian Bullseye (with  bullseye-backports)
exhibit the same error:
[2023/08/01 07:45:01.647357,  1]
../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
 Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
About 1/minute

My smb.conf is minimal (I removed the SHARES section)
[global]
        realm = EUROHIDRA.LOCAL
        workgroup = EUROHIDRA
        netbios name = EHDC1
        server role = active directory domain controller
#       interfaces = lo br0
#        bind interfaces only = Yes
        idmap_ldb:use rfc2307 = yes
        log level = 1  auth_json_audit:2@/var/log/samba/auth.log sam:2@
/var/log/samba/sam.log
        log file = /var/log/samba/samba.log

        server services = -dns
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = yes
#        winbind enum users = yes
#        winbind enum groups = yes

dns zone scavenging = yes
#Disable Printing
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

I've tried with and without winbind enum. DNS scavenging is there as a test
but I don't think is related. Replication gives no errors and the same for
samba-tool dbcheck. Is this just cosmetic?

best regards

Norbert Hanke via samba <samba at lists.samba.org> escreveu no dia quarta,
26/07/2023 ?(s) 21:01:
> Hi,
>
>
> I have the same issue with "Could not convert SID S-0-0..." on 2
out of
> 3 DCs. These messages _are_ cluttering syslog: 54 000 such messages with
> severity "Warning" in the last 21 1/2 hours .
>
> All 3 DCs are on samba 4.17.9 with identical configurations.
>
> The DC that does not have the problem runs on Debian bullseye, using
> bullseye-backports packages. It exists since many months, more or less
> since Michael Tokarev provides the bullseye-packport packages, and has
> repeatedly been updated since then.
>
> The affected DCs run on Debian bookworm, using regular bookworm
> packages. They were freshly joined after their equally named
> predecessors had been cleanly demoted, and they had their idmap.ldb
> taken from the preexisting DC.
>
> My /etc/samba/smb.conf:
>
> # Global parameters
> [global]
>          netbios name = DC2
>          realm = AD.MYDOMAIN.TLD
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = MYDOMAIN
>          idmap_ldb:use rfc2307  = yes
>
> logging = syslog at 3
> log level = 1
> printing = BSD
> printcap name = /dev/null
> load printers = no
> tls ca file = /usr/local/share/ca-certificates/MydomainCA1.crt
> username map = /etc/samba/user.map
> disable spoolss = yes
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [netlogon]
>          path = /var/lib/samba/sysvol/ad.mydomain.tld/scripts
>          read only = No
>
>
> Any clue anyone?
>
> regards,
> Norbert
>
> On 25.07.2023 13:21, Peter Eriksson via samba wrote:
> > In my never-ending quest of removing clutter from the log files, I
> notice that we in /var/log/messages get a lot of:
> >
> >> Jul 25 13:08:30 filur00 winbindd[88603]: [2023/07/25
13:08:30.756462,
> 1]
> ../../source3/winbindd/winbindd_lookupname.c:122(winbindd_lookupname_recv)
> >> Jul 25 13:08:30 filur00 winbindd[88603]:   Could not convert SID
S-0-0,
> error is NT_STATUS_NONE_MAPPED
> > Seems to happen when our test-user logs in.
> >
> > I can just remove that log line in the source code, but I?m curious if
> there is something else I can do to silence it. I was thinking it was
> related to directories owned by the ?root? user (which doesn?t have a
> mapping to a Windows user but I?ve tried to get rid of the root-owned
> directories in the path for the test user but it doesn?t seem to help much.
> Any ideas?
> >
> >
> > Another error in the syslog messages file is:
> >
> > Jul 25 13:16:19 filur00 samba-dcerpcd[43617]: [2023/07/25
> 13:16:19.901490,  1]
> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> > Jul 25 13:16:19 filur00 samba-dcerpcd[43617]:   rpc_pipe_open_ncalrpc:
> connect(/liu/var/samba/ncalrpc/EPMAPPER) failed: No such file or directory
> >
> > This only happens once when starting Samba but it still annoys me.
There
> is no EPMAPPER object in that directory, the closest that looks relevant
is:
> >
> >    /liu/var/samba/ncalrpc/np/epmapper
> >
> > Is that supposed to point to the same thing?
> >
> >
> > Samba 4.18.5, FreeBSD 13.2
> >
> > - Peter
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>