Stephen Brandli
2025-Feb-17 00:17 UTC
[Samba] Cannot access domain member from trusted domain user
I'm not able to access a samba file server that I recently created and joined to a domain. I have two domains with an external trust: BRANDLILAW and BRANDLI. The server is joined to BRANDLILAW. I am trying to access it from a user on the BRANDLI domain. This worked with the prior server that the new server is replacing. All domain controllers and the server are Debian backports (21.3). The user can access a Windows 10 machine also joined to the BRANDLILAW domain, and can also access a samba file server on the BRANDLI domain. "samba-tool domain trust validate" works correctly in both directions. How do I debug this? I would appreciate any pointers. Log entries include: smbd: Feb 16 16:02:50 roberts smbd[514]: check_account: Failed to convert SID S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID (dom_user[BRANDLI\steve]) Feb 16 16:02:52 roberts smbd[514]: [2025/02/16 16:02:52.332273, 0] source3/auth/auth_util.c:1945(check_account) winbind: [2025/02/16 15:59:21.834790, 1, traceid=1674] source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103: NT_STATUS_NO_SUCH_DOMAIN [2025/02/16 15:59:21.834852, 1, traceid=1674] source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid) wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN. [2025/02/16 15:59:21.834875, 1, traceid=1674] source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc) Failed with NT_STATUS_NO_SUCH_DOMAIN. I am also getting the error that secrets.ldb does not exist. But the samba file server on the BRANDLI domain is getting those errors, and I can access that. smb.conf: [global] security = ads workgroup = BRANDLILAW realm = DOMAIN.BRANDLILAW.COM log file = /var/log/samba/roberts.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config BRANDLI:backend = ad idmap config BRANDLI:schema_mode = rfc2307 idmap config BRANDLI:range = 1000-1499 idmap config BRANDLI:unix_nss_info = no idmap config BRANDLI:unix_primary_group = yes idmap config BRANDLILAW:backend = ad idmap config BRANDLILAW:schema_mode = rfc2307 idmap config BRANDLILAW:range = 1500-1999 idmap config BRANDLILAW:unix_nss_info = no idmap config BRANDLILAW:unix_primary_group = yes [Docs] path = /home/shares/docs writeable = yes valid users = steve bj tabitha kim erin force user = steve force group = steve force create mode = 770 The relevant passwd entry on the file server: steve:x:1000:1000:,,,:/home/steve:/bin/bash samba-tool user show steve: dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Steve SAB. Brandli sn: Brandli givenName: Steve initials: SAB. instanceType: 4 whenCreated: 20201005011138.0Z displayName: Steve Brandli uSNCreated: 5433 name: Steve SAB. Brandli objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0 userAccountControl: 66048 codePage: 0 countryCode: 0 pwdLastSet: 132970435361910940 primaryGroupID: 513 objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103 accountExpires: 0 sAMAccountName: steve sAMAccountType: 805306368 userPrincipalName: steve at domain.brandli.com<mailto:steve at domain.brandli.com> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com uidNumber: 1000 gidNumber: 1000 memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=brandli,DC=com whenChanged: 20250210010316.0Z uSNChanged: 5640 lastLogonTimestamp: 133836229965179730 lastLogon: 133841460882236080 logonCount: 42 distinguishedName: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
Stephen Brandli
2025-Feb-17 03:09 UTC
[Samba] FW: Cannot access domain member from trusted domain user
More: users on the BRANDLILAW domain can access the share, but it's incredibly slow. In addition, smbd logs these errors repeatedly: Feb 16 18:49:06 roberts smbd[136]: check_account: Failed to convert SID S-1-5-21-2136821272-1111453333-1140905514-1601 to a UID (dom_user[BRANDLILAW\admin-fh$]) Feb 16 18:49:06 roberts smbd[136]: [2025/02/16 18:49:06.365450, 0] source3/auth/auth_util.c:1945(check_account) admin-fh is a machine name, not a user name. Steve -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Stephen Brandli via samba Sent: Sunday, February 16, 2025 4:18 PM To: Stephen Brandli via samba <samba at lists.samba.org> Subject: [Samba] Cannot access domain member from trusted domain user I'm not able to access a samba file server that I recently created and joined to a domain. I have two domains with an external trust: BRANDLILAW and BRANDLI. The server is joined to BRANDLILAW. I am trying to access it from a user on the BRANDLI domain. This worked with the prior server that the new server is replacing. All domain controllers and the server are Debian backports (21.3). The user can access a Windows 10 machine also joined to the BRANDLILAW domain, and can also access a samba file server on the BRANDLI domain. "samba-tool domain trust validate" works correctly in both directions. How do I debug this? I would appreciate any pointers. Log entries include: smbd: Feb 16 16:02:50 roberts smbd[514]: check_account: Failed to convert SID S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID (dom_user[BRANDLI\steve]) Feb 16 16:02:52 roberts smbd[514]: [2025/02/16 16:02:52.332273, 0] source3/auth/auth_util.c:1945(check_account) winbind: [2025/02/16 15:59:21.834790, 1, traceid=1674] source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103: NT_STATUS_NO_SUCH_DOMAIN [2025/02/16 15:59:21.834852, 1, traceid=1674] source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid) wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN. [2025/02/16 15:59:21.834875, 1, traceid=1674] source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc) Failed with NT_STATUS_NO_SUCH_DOMAIN. I am also getting the error that secrets.ldb does not exist. But the samba file server on the BRANDLI domain is getting those errors, and I can access that. smb.conf: [global] security = ads workgroup = BRANDLILAW realm = DOMAIN.BRANDLILAW.COM log file = /var/log/samba/roberts.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config BRANDLI:backend = ad idmap config BRANDLI:schema_mode = rfc2307 idmap config BRANDLI:range = 1000-1499 idmap config BRANDLI:unix_nss_info = no idmap config BRANDLI:unix_primary_group = yes idmap config BRANDLILAW:backend = ad idmap config BRANDLILAW:schema_mode = rfc2307 idmap config BRANDLILAW:range = 1500-1999 idmap config BRANDLILAW:unix_nss_info = no idmap config BRANDLILAW:unix_primary_group = yes [Docs] path = /home/shares/docs writeable = yes valid users = steve bj tabitha kim erin force user = steve force group = steve force create mode = 770 The relevant passwd entry on the file server: steve:x:1000:1000:,,,:/home/steve:/bin/bash samba-tool user show steve: dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Steve SAB. Brandli sn: Brandli givenName: Steve initials: SAB. instanceType: 4 whenCreated: 20201005011138.0Z displayName: Steve Brandli uSNCreated: 5433 name: Steve SAB. Brandli objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0 userAccountControl: 66048 codePage: 0 countryCode: 0 pwdLastSet: 132970435361910940 primaryGroupID: 513 objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103 accountExpires: 0 sAMAccountName: steve sAMAccountType: 805306368 userPrincipalName: steve at domain.brandli.com<mailto:steve at domain.brandli.com> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com uidNumber: 1000 gidNumber: 1000 memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=brandli,DC=com whenChanged: 20250210010316.0Z uSNChanged: 5640 lastLogonTimestamp: 133836229965179730 lastLogon: 133841460882236080 logonCount: 42 distinguishedName: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2025-Feb-17 08:45 UTC
[Samba] Cannot access domain member from trusted domain user
On Mon, 17 Feb 2025 00:17:40 +0000 Stephen Brandli via samba <samba at lists.samba.org> wrote:> I'm not able to access a samba file server that I recently created > and joined to a domain. I have two domains with an external trust: > BRANDLILAW and BRANDLI. The server is joined to BRANDLILAW. I am > trying to access it from a user on the BRANDLI domain. This worked > with the prior server that the new server is replacing. All domain > controllers and the server are Debian backports (21.3). The user can > access a Windows 10 machine also joined to the BRANDLILAW domain, and > can also access a samba file server on the BRANDLI domain. > "samba-tool domain trust validate" works correctly in both directions. > > How do I debug this? I would appreciate any pointers. > > Log entries include: > > smbd: > Feb 16 16:02:50 roberts smbd[514]: check_account: Failed to convert > SID S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID > (dom_user[BRANDLI\steve]) Feb 16 16:02:52 roberts smbd[514]: > [2025/02/16 16:02:52.332273, 0] > source3/auth/auth_util.c:1945(check_account) > > winbind: > [2025/02/16 15:59:21.834790, 1, traceid=1674] > source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv) > Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103: > NT_STATUS_NO_SUCH_DOMAIN [2025/02/16 15:59:21.834852, 1, > traceid=1674] > source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid) > wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN. [2025/02/16 > 15:59:21.834875, 1, traceid=1674] > source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc) Failed with > NT_STATUS_NO_SUCH_DOMAIN. > > I am also getting the error that secrets.ldb does not exist. But the > samba file server on the BRANDLI domain is getting those errors, and > I can access that. smb.conf: > > [global] > security = ads > workgroup = BRANDLILAW > realm = DOMAIN.BRANDLILAW.COM > > log file = /var/log/samba/roberts.log > log level = 1 > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config BRANDLI:backend = ad > idmap config BRANDLI:schema_mode = rfc2307 > idmap config BRANDLI:range = 1000-1499 > idmap config BRANDLI:unix_nss_info = no > idmap config BRANDLI:unix_primary_group = yes > > idmap config BRANDLILAW:backend = ad > idmap config BRANDLILAW:schema_mode = rfc2307 > idmap config BRANDLILAW:range = 1500-1999 > idmap config BRANDLILAW:unix_nss_info = no > idmap config BRANDLILAW:unix_primary_group = yes > > [Docs] > path = /home/shares/docs > writeable = yes > valid users = steve bj tabitha kim erin > force user = steve > force group = steve > force create mode = 770 > > The relevant passwd entry on the file server: > steve:x:1000:1000:,,,:/home/steve:/bin/bash > > samba-tool user show steve: > > dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Steve SAB. Brandli > sn: Brandli > givenName: Steve > initials: SAB. > instanceType: 4 > whenCreated: 20201005011138.0Z > displayName: Steve Brandli > uSNCreated: 5433 > name: Steve SAB. Brandli > objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0 > userAccountControl: 66048 > codePage: 0 > countryCode: 0 > pwdLastSet: 132970435361910940 > primaryGroupID: 513 > objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103 > accountExpires: 0 > sAMAccountName: steve > sAMAccountType: 805306368 > userPrincipalName: > steve at domain.brandli.com<mailto:steve at domain.brandli.com> > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com > uidNumber: 1000 gidNumber: 1000 memberOf: CN=Domain > Admins,CN=Users,DC=domain,DC=brandli,DC=com whenChanged: > 20250210010316.0Z uSNChanged: 5640 > lastLogonTimestamp: 133836229965179730 > lastLogon: 133841460882236080 > logonCount: 42 > distinguishedName: CN=Steve SAB. > Brandli,CN=Users,DC=domain,DC=brandli,DC=comTry reading this: https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial-en.pdf I know it is a bit old now, but hopefully still relevant, if you are lucky Stefan will chime in here, he is the one that wrote it. Rowland
Reasonably Related Threads
- Cannot access domain member from trusted domain user
- FW: Cannot access domain member from trusted domain user
- SegFault verifying external trust
- FW: Problems after DC upgrade
- check_account: Failed to find local account with UID" issue / The university of Chicago