Carlos Jesus
2023-Oct-08 14:39 UTC
[Samba] Could not convert SID S-0-0, error is NT_STATUS_NONE_MAPPED
Hi all, I know this is kind of an old thread, but I've got some new "developments". And some questions too. Let's see... So, like I said before, my file server is clogging my logs with ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv) Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED Every 2 seconds. Now, I'm using netdata (https://www.netdata.cloud/) to locally monitor my machines, smbd performance including. I'm not into the details, but every 2 seconds, netdata performs a "smbstatus -P" on the file server. Running smbstatus -P does not produce the error, but something else on netdata smbd monitoring does. I'll ask the netdata folks for more info. Anyway, this error shows up even if netdata is not running just not every 2 seconds... Now for my question. Since I (kinda) know where the error comes from, I just want to get rid of it. So, is there a way to filter this specific error in the logs? I know I could redirect the log to an rsyslog facility and filter from there. Any suggestions on a more elegant way? Best regards Rowland Penny via samba <samba at lists.samba.org> escreveu no dia ter?a, 1/08/2023 ?(s) 15:29:> > > On 01/08/2023 15:07, Carlos Jesus wrote: > > Hi Rowland, thanks for the reply > > > > > > > [global] > > > realm = EUROHIDRA.LOCAL > > > > Is '.local' your real TLD ? > > If it is, I suggest you turn off Bonjour and Avahi everywhere > > > > Unfortunatly it is :(.... > > > > Bonjour and avahi are stopped and masked everywhere. > > I wish Microsoft hadn't recommended using '.local', it just means that > you cannot use Bonjour and Avahi. Microsoft has now realised this and > they no longer recommend using it. > > > > > > workgroup = EUROHIDRA > > > netbios name = EHDC1 > > > server role = active directory domain controller > > > # interfaces = lo br0 > > > # bind interfaces only = Yes > > > idmap_ldb:use rfc2307 = yes > > > log level = 1 auth_json_audit:2@/var/log/samba/auth.log > > sam:2@ > > > /var/log/samba/sam.log > > > log file = /var/log/samba/samba.log > > > > > > server services = -dns > > > template shell = /bin/bash > > > template homedir = /home/%U > > > winbind use default domain = yes > > > > I suggest you remove the 'winbind use default domain' line, it does > > nothing on a DC and, though unlikely, it could have something to do > > with > > your problem. > > > > Will do. Will it interfere with PAM authentication? > > No, all it really does it to remove the DOMAIN from user & group names > and then only on Unix domain members. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
cedric at season-of-mist.com
2023-Oct-19 10:30 UTC
[Samba] Could not convert SID S-0-0, error is NT_STATUS_NONE_MAPPED
Hi, I've noticed the same messages on our servers (DC and members). I've found those messages were related to ssh login attempts and/or crontab run as root : /var/log/auth.log : Oct 19 06:28:01 MEMBER CRON[265110]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0) Oct 19 06:28:01 MEMBER CRON[265110]: pam_unix(cron:session): session closed for user root /usr/local/samba/var/log.winbindd : [2023/10/19 06:28:01.502659, 1] ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv) Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED Hope this help -----Message d'origine----- De : samba <samba-bounces at lists.samba.org> De la part de Carlos Jesus via samba Envoy? : dimanche 8 octobre 2023 16:39 ? : samba at lists.samba.org Objet : Re: [Samba] Could not convert SID S-0-0, error is NT_STATUS_NONE_MAPPED Hi all, I know this is kind of an old thread, but I've got some new "developments". And some questions too. Let's see... So, like I said before, my file server is clogging my logs with ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv) Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED Every 2 seconds. Now, I'm using netdata (https://www.netdata.cloud/) to locally monitor my machines, smbd performance including. I'm not into the details, but every 2 seconds, netdata performs a "smbstatus -P" on the file server. Running smbstatus -P does not produce the error, but something else on netdata smbd monitoring does. I'll ask the netdata folks for more info. Anyway, this error shows up even if netdata is not running just not every 2 seconds... Now for my question. Since I (kinda) know where the error comes from, I just want to get rid of it. So, is there a way to filter this specific error in the logs? I know I could redirect the log to an rsyslog facility and filter from there. Any suggestions on a more elegant way? Best regards Rowland Penny via samba <samba at lists.samba.org> escreveu no dia ter?a, 1/08/2023 ?(s) 15:29:> > > On 01/08/2023 15:07, Carlos Jesus wrote: > > Hi Rowland, thanks for the reply > > > > > > > [global] > > > realm = EUROHIDRA.LOCAL > > > > Is '.local' your real TLD ? > > If it is, I suggest you turn off Bonjour and Avahi everywhere > > > > Unfortunatly it is :(.... > > > > Bonjour and avahi are stopped and masked everywhere. > > I wish Microsoft hadn't recommended using '.local', it just means that > you cannot use Bonjour and Avahi. Microsoft has now realised this and > they no longer recommend using it. > > > > > > workgroup = EUROHIDRA > > > netbios name = EHDC1 > > > server role = active directory domain controller > > > # interfaces = lo br0 > > > # bind interfaces only = Yes > > > idmap_ldb:use rfc2307 = yes > > > log level = 1 auth_json_audit:2@/var/log/samba/auth.log > > sam:2@ > > > /var/log/samba/sam.log > > > log file = /var/log/samba/samba.log > > > > > > server services = -dns > > > template shell = /bin/bash > > > template homedir = /home/%U > > > winbind use default domain = yes > > > > I suggest you remove the 'winbind use default domain' line, it does > > nothing on a DC and, though unlikely, it could have something to do > > with > > your problem. > > > > Will do. Will it interfere with PAM authentication? > > No, all it really does it to remove the DOMAIN from user & group names > and then only on Unix domain members. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Norbert Hanke
2023-Oct-19 13:40 UTC
[Samba] Could not convert SID S-0-0, error is NT_STATUS_NONE_MAPPED
Hi all, In my case I see this happen when rsync'ing sysvol from one samba DC to a different one on the target DC when the target DC is on Debian Bookworm with both samba 4.17.<many> and 4.18.8 . It looks like a different behaviour of rsync that I never saw on Bullseye or before, with many different samba versions over the years. I'm using rsync through ssh with rsync -avAX --delete /var/lib/samba/sysvol dcX:/var/lib/samba The winbind message disappears when adding --numeric-ids so that rsync does not need to use winbind to map from user and group names to Unix UIDs and GIDs. Besides the different rsync version on Bookworm it has to do with the history of my domain: at a certain time I added rfc2307 UIDs and/or GIDs to builtin entities like "MYDOMAIN\domain admins" with the result of different numerical ownerships and ACLs in GPOs. Rsync'ing with and without --numeric-ids results in different numeric owners and ACLs. For Windows clients both look the same, no imment problem. But abit of a mess that still need to figure out how to clean up. Maybe this helps to find the reason for the same elsewhere. regards, Norbert On 08.10.2023 16:39, Carlos Jesus via samba wrote:> Hi all, > I know this is kind of an old thread, but I've got some new "developments". > And some questions too. Let's see... > So, like I said before, my file server is clogging my logs with > ../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv) > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > Every 2 seconds. > Now, I'm using netdata (https://www.netdata.cloud/) to locally monitor my > machines, smbd performance including. I'm not into the details, but every 2 > seconds, netdata performs a "smbstatus -P" on the file server. Running > smbstatus -P does not produce the error, but something else on netdata smbd > monitoring does. I'll ask the netdata folks for more info. > Anyway, this error shows up even if netdata is not running just not every 2 > seconds... > > Now for my question. Since I (kinda) know where the error comes from, I > just want to get rid of it. So, is there a way to filter this specific > error in the logs? I know I could redirect the log to an rsyslog facility > and filter from there. Any suggestions on a more elegant way? > > > Best regards > Rowland Penny via samba<samba at lists.samba.org> escreveu no dia ter?a, > 1/08/2023 ?(s) 15:29: > >> >> On 01/08/2023 15:07, Carlos Jesus wrote: >>> Hi Rowland, thanks for the reply >>> >>> >>> > [global] >>> > realm = EUROHIDRA.LOCAL >>> >>> Is '.local' your real TLD ? >>> If it is, I suggest you turn off Bonjour and Avahi everywhere >>> >>> Unfortunatly it is :(.... >>> >>> Bonjour and avahi are stopped and masked everywhere. >> I wish Microsoft hadn't recommended using '.local', it just means that >> you cannot use Bonjour and Avahi. Microsoft has now realised this and >> they no longer recommend using it. >> >>> > workgroup = EUROHIDRA >>> > netbios name = EHDC1 >>> > server role = active directory domain controller >>> > # interfaces = lo br0 >>> > # bind interfaces only = Yes >>> > idmap_ldb:use rfc2307 = yes >>> > log level = 1auth_json_audit:2@/var/log/samba/auth.log >>> sam:2@ >>> > /var/log/samba/sam.log >>> > log file = /var/log/samba/samba.log >>> > >>> > server services = -dns >>> > template shell = /bin/bash >>> > template homedir = /home/%U >>> > winbind use default domain = yes >>> >>> I suggest you remove the 'winbind use default domain' line, it does >>> nothing on a DC and, though unlikely, it could have something to do >>> with >>> your problem. >>> >>> Will do. Will it interfere with PAM authentication? >> No, all it really does it to remove the DOMAIN from user & group names >> and then only on Unix domain members. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions:https://lists.samba.org/mailman/options/samba >>