While reviewing a single problem report about one of Samba servers I noticed these entries in the log files that are created by Samba. I tend to think they are just informational and not a symptom of an issue in my setup which has not changed in many months. But I found a few of posts here over the years with a similar message but no conclusive info on what they may mean or if action is needed. Do others with a similar setup as mine see these messages in your logs? (The @www in my case is for a group that I use to control access to a www server, but I have other groups that also appear in the logs. Your group name would be different. I populate the Linux group with AD account names for those who should have access and Winbind does its magic.) The documentation for smb.conf's "valid users" indicates that when you use the @ sign it is interpreted as NIS netgroup first and then as UNIX group. I am thinking this log entry MIGHT mean that it did not find an NIS group? Source Reference from Error: ? ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp) Line 216 in the dom_sid.c file appears to have a function that checks to see if the SID isdigit and when it is not, it calls the format_error function. In my case the group name is "www" so that would not be a digit like most SIDs are. format_error: DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", sidstr)); return false; Share: [www] comment = Samba share for www create mask = 0664 directory mask = 0775 force user = www path = /export/home/www/htdocs read only = No valid users = @www write list = @www Other tidbits: Security = ADS Backend is autorid Winbind used (sssd packages removed before installing Samba)
Rowland Penny
2025-Jan-10 10:14 UTC
[Samba] string_to_sid: SID @www is not in a valid format
On Thu, 9 Jan 2025 16:55:27 -0600 E R via samba <samba at lists.samba.org> wrote:> While reviewing a single problem report about one of Samba servers I > noticed these entries in the log files that are created by Samba. I > tend to think they are just informational and not a symptom of an > issue in my setup which has not changed in many months. But I found a > few of posts here over the years with a similar message but no > conclusive info on what they may mean or if action is needed. Do > others with a similar setup as mine see these messages in your logs? > (The @www in my case is for a group that I use to control access to a > www server, but I have other groups that also appear in the logs. > Your group name would be different. I populate the Linux group with > AD account names for those who should have access and Winbind does its > magic.) > > The documentation for smb.conf's "valid users" indicates that when you > use the @ sign it is interpreted as NIS netgroup first and then as > UNIX group. I am thinking this log entry MIGHT mean that it did not > find an NIS group? > > Source Reference from Error: > ? ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)It might help if you post the log fragment around that error. However, the reference to line 216 means you are running an older version of Samba.> > Line 216 in the dom_sid.c file appears to have a function that checks > to see if the SID isdigit and when it is not, it calls the > format_error function. In my case the group name is "www" so that > would not be a digit like most SIDs are. > > format_error: > DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", > sidstr)); return false; > > Share: > [www] > comment = Samba share for www > create mask = 0664 > directory mask = 0775 > force user = www > path = /export/home/www/htdocs > read only = No > valid users = @www > write list = @www >That is the 'old' way of doing things, you would be better off reading this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Also if the path means what it possibly could i.e. you are sharing an NFS mount, then I suggest you stop doing this, it really isn't a good idea.> Other tidbits: > Security = ADS > Backend is autorid > Winbind used (sssd packages removed before installing Samba) >Just posting the share isn't enough, it would help if we can see 'global' as well. Rowland
Apparently Analagous Threads
- string_to_sid: Sid MYDOMAIN\mygroup does not start with 'S-'.
- string_to_sid: SID @groupname is not in a valid format
- Wbinfo -Y couldn't work with idmap_rid for BUILTIN groups
- string_to_sid: SI is not in a valid format
- Hyper-V Virtual Machines fail to start on Samba shares