samba - Aug 2023 - Could not convert SID S-0-0, error is NT_STATUS_NONE_MAPPED

Hi all!
Both my DC's running 4.17.6 on Debian Bullseye (with  bullseye-backports)
exhibit the same error:
[2023/08/01 07:45:01.647357,  1]
../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
 Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
About 1/minute

My smb.conf is minimal (I removed the SHARES section)
[global]
        realm = EUROHIDRA.LOCAL
        workgroup = EUROHIDRA
        netbios name = EHDC1
        server role = active directory domain controller
#       interfaces = lo br0
#        bind interfaces only = Yes
        idmap_ldb:use rfc2307 = yes
        log level = 1  auth_json_audit:2@/var/log/samba/auth.log sam:2@
/var/log/samba/sam.log
        log file = /var/log/samba/samba.log

        server services = -dns
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = yes
#        winbind enum users = yes
#        winbind enum groups = yes

dns zone scavenging = yes
#Disable Printing
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

I've tried with and without winbind enum. DNS scavenging is there as a test
but I don't think is related. Replication gives no errors and the same for
samba-tool dbcheck. Is this just cosmetic?

best regards

Norbert Hanke via samba <samba at lists.samba.org> escreveu no dia quarta,
26/07/2023 ?(s) 21:01:
> Hi,
>
>
> I have the same issue with "Could not convert SID S-0-0..." on 2
out of
> 3 DCs. These messages _are_ cluttering syslog: 54 000 such messages with
> severity "Warning" in the last 21 1/2 hours .
>
> All 3 DCs are on samba 4.17.9 with identical configurations.
>
> The DC that does not have the problem runs on Debian bullseye, using
> bullseye-backports packages. It exists since many months, more or less
> since Michael Tokarev provides the bullseye-packport packages, and has
> repeatedly been updated since then.
>
> The affected DCs run on Debian bookworm, using regular bookworm
> packages. They were freshly joined after their equally named
> predecessors had been cleanly demoted, and they had their idmap.ldb
> taken from the preexisting DC.
>
> My /etc/samba/smb.conf:
>
> # Global parameters
> [global]
>          netbios name = DC2
>          realm = AD.MYDOMAIN.TLD
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = MYDOMAIN
>          idmap_ldb:use rfc2307  = yes
>
> logging = syslog at 3
> log level = 1
> printing = BSD
> printcap name = /dev/null
> load printers = no
> tls ca file = /usr/local/share/ca-certificates/MydomainCA1.crt
> username map = /etc/samba/user.map
> disable spoolss = yes
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [netlogon]
>          path = /var/lib/samba/sysvol/ad.mydomain.tld/scripts
>          read only = No
>
>
> Any clue anyone?
>
> regards,
> Norbert
>
> On 25.07.2023 13:21, Peter Eriksson via samba wrote:
> > In my never-ending quest of removing clutter from the log files, I
> notice that we in /var/log/messages get a lot of:
> >
> >> Jul 25 13:08:30 filur00 winbindd[88603]: [2023/07/25
13:08:30.756462,
> 1]
> ../../source3/winbindd/winbindd_lookupname.c:122(winbindd_lookupname_recv)
> >> Jul 25 13:08:30 filur00 winbindd[88603]:   Could not convert SID
S-0-0,
> error is NT_STATUS_NONE_MAPPED
> > Seems to happen when our test-user logs in.
> >
> > I can just remove that log line in the source code, but I?m curious if
> there is something else I can do to silence it. I was thinking it was
> related to directories owned by the ?root? user (which doesn?t have a
> mapping to a Windows user but I?ve tried to get rid of the root-owned
> directories in the path for the test user but it doesn?t seem to help much.
> Any ideas?
> >
> >
> > Another error in the syslog messages file is:
> >
> > Jul 25 13:16:19 filur00 samba-dcerpcd[43617]: [2023/07/25
> 13:16:19.901490,  1]
> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> > Jul 25 13:16:19 filur00 samba-dcerpcd[43617]:   rpc_pipe_open_ncalrpc:
> connect(/liu/var/samba/ncalrpc/EPMAPPER) failed: No such file or directory
> >
> > This only happens once when starting Samba but it still annoys me.
There
> is no EPMAPPER object in that directory, the closest that looks relevant
is:
> >
> >    /liu/var/samba/ncalrpc/np/epmapper
> >
> > Is that supposed to point to the same thing?
> >
> >
> > Samba 4.18.5, FreeBSD 13.2
> >
> > - Peter
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 01/08/2023 10:43, Carlos Jesus via samba wrote:
> Hi all!
> Both my DC's running 4.17.6 on Debian Bullseye (with 
bullseye-backports)
> exhibit the same error:
> [2023/08/01 07:45:01.647357,  1]
> ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> About 1/minute
> 
> My smb.conf is minimal (I removed the SHARES section)
Trouble is, other than the 'sysvol' and 'netlogon' shares, you
shouldn't
be using a DC as a fileserver, it isn't recommended by Samba.
> [global]
>          realm = EUROHIDRA.LOCAL
Is '.local' your real TLD ?
If it is, I suggest you turn off Bonjour and Avahi everywhere.
>          workgroup = EUROHIDRA
>          netbios name = EHDC1
>          server role = active directory domain controller
> #       interfaces = lo br0
> #        bind interfaces only = Yes
>          idmap_ldb:use rfc2307 = yes
>          log level = 1  auth_json_audit:2@/var/log/samba/auth.log sam:2@
> /var/log/samba/sam.log
>          log file = /var/log/samba/samba.log
> 
>          server services = -dns
>          template shell = /bin/bash
>          template homedir = /home/%U
>          winbind use default domain = yes
I suggest you remove the 'winbind use default domain' line, it does 
nothing on a DC and, though unlikely, it could have something to do with 
your problem.
> #        winbind enum users = yes
> #        winbind enum groups = yes
> 
> dns zone scavenging = yes
> #Disable Printing
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> 
> I've tried with and without winbind enum. DNS scavenging is there as a
test
> but I don't think is related. Replication gives no errors and the same
for
> samba-tool dbcheck. Is this just cosmetic?
Rowland