samba - Jan 2025 - string_to_sid: SID @www is not in a valid format

While reviewing a single problem report about one of Samba servers I
noticed these entries in the log files that are created by Samba.  I
tend to think they are just informational and not a symptom of an
issue in my setup which has not changed in many months.  But I found a
few of posts here over the years with a similar message but no
conclusive info on what they may mean or if action is needed.  Do
others with a similar setup as mine see these messages in your logs?
(The @www in my case is for a group that I use to control access to a
www server, but I have other groups that also appear in the logs.
Your group name would be different.  I populate the Linux group with
AD account names for those who should have access and Winbind does its
magic.)

The documentation for smb.conf's "valid users" indicates that when
you
use the @ sign it is interpreted as NIS netgroup first and then as
UNIX group.  I am thinking this log entry MIGHT mean that it did not
find an NIS group?

Source Reference from Error:
? ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)

Line 216 in the dom_sid.c file appears to have a function that checks
to see if the SID isdigit and when it is not, it calls the
format_error function.  In my case the group name is "www" so that
would not be a digit like most SIDs are.

format_error:
        DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n",
sidstr));
        return false;

Share:
[www]
        comment = Samba share for www
        create mask = 0664
        directory mask = 0775
        force user = www
        path = /export/home/www/htdocs
        read only = No
        valid users = @www
        write list = @www

Other tidbits:
Security = ADS
Backend is autorid
Winbind used (sssd packages removed before installing Samba)

On Thu, 9 Jan 2025 16:55:27 -0600
E R via samba <samba at lists.samba.org> wrote:
> While reviewing a single problem report about one of Samba servers I
> noticed these entries in the log files that are created by Samba.  I
> tend to think they are just informational and not a symptom of an
> issue in my setup which has not changed in many months.  But I found a
> few of posts here over the years with a similar message but no
> conclusive info on what they may mean or if action is needed.  Do
> others with a similar setup as mine see these messages in your logs?
> (The @www in my case is for a group that I use to control access to a
> www server, but I have other groups that also appear in the logs.
> Your group name would be different.  I populate the Linux group with
> AD account names for those who should have access and Winbind does its
> magic.)
> 
> The documentation for smb.conf's "valid users" indicates that
when you
> use the @ sign it is interpreted as NIS netgroup first and then as
> UNIX group.  I am thinking this log entry MIGHT mean that it did not
> find an NIS group?
> 
> Source Reference from Error:
> ? ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
It might help if you post the log fragment around that error.
However, the reference to line 216 means you are running an older
version of Samba.
> 
> Line 216 in the dom_sid.c file appears to have a function that checks
> to see if the SID isdigit and when it is not, it calls the
> format_error function.  In my case the group name is "www" so
that
> would not be a digit like most SIDs are.
> 
> format_error:
>         DEBUG(3, ("string_to_sid: SID %s is not in a valid
format\n",
> sidstr)); return false;
> 
> Share:
> [www]
>         comment = Samba share for www
>         create mask = 0664
>         directory mask = 0775
>         force user = www
>         path = /export/home/www/htdocs
>         read only = No
>         valid users = @www
>         write list = @www
> 
That is the 'old' way of doing things, you would be better off reading
this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Also if the path means what it possibly could i.e. you are sharing an
NFS mount, then I suggest you stop doing this, it really isn't a good
idea.
> Other tidbits:
> Security = ADS
> Backend is autorid
> Winbind used (sssd packages removed before installing Samba)
> 
Just posting the share isn't enough, it would help if we can see
'global' as well.

Rowland