thr3ads.net - samba - [Samba] FW: Cannot access domain member from trusted domain user [Feb 2025]

If this information is useful, please help other people find it:
Share via:

Stephen Brandli

2025-Feb-17 00:17 UTC

[Samba] Cannot access domain member from trusted domain user

I'm not able to access a samba file server that I recently created and
joined to a domain.  I have two domains with an external trust: BRANDLILAW and
BRANDLI.  The server is joined to BRANDLILAW.  I am trying to access it from a
user on the BRANDLI domain.  This worked with the prior server that the new
server is replacing.  All domain controllers and the server are Debian backports
(21.3).  The user can access a Windows 10 machine also joined to the BRANDLILAW
domain, and can also access a samba file server on the BRANDLI domain. 
"samba-tool domain trust validate" works correctly in both directions.

How do I debug this?  I would appreciate any pointers.

Log entries include:

smbd:
Feb 16 16:02:50 roberts smbd[514]:   check_account: Failed to convert SID
S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID
(dom_user[BRANDLI\steve])
Feb 16 16:02:52 roberts smbd[514]: [2025/02/16 16:02:52.332273,  0]
source3/auth/auth_util.c:1945(check_account)

winbind:
[2025/02/16 15:59:21.834790,  1, traceid=1674]
source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103:
NT_STATUS_NO_SUCH_DOMAIN
[2025/02/16 15:59:21.834852,  1, traceid=1674]
source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid)
  wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN.
[2025/02/16 15:59:21.834875,  1, traceid=1674]
source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc)
  Failed with NT_STATUS_NO_SUCH_DOMAIN.

I am also getting the error that secrets.ldb does not exist.  But the samba file
server on the BRANDLI domain is getting those errors, and I can access that.
smb.conf:

[global]
security = ads
workgroup = BRANDLILAW
realm = DOMAIN.BRANDLILAW.COM

log file = /var/log/samba/roberts.log
log level = 1

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config BRANDLI:backend = ad
idmap config BRANDLI:schema_mode = rfc2307
idmap config BRANDLI:range = 1000-1499
idmap config BRANDLI:unix_nss_info = no
idmap config BRANDLI:unix_primary_group = yes

idmap config BRANDLILAW:backend = ad
idmap config BRANDLILAW:schema_mode = rfc2307
idmap config BRANDLILAW:range = 1500-1999
idmap config BRANDLILAW:unix_nss_info = no
idmap config BRANDLILAW:unix_primary_group = yes

[Docs]
path = /home/shares/docs
writeable = yes
valid users = steve bj tabitha kim erin
force user = steve
force group = steve
force create mode = 770

The relevant passwd entry on the file server:
steve:x:1000:1000:,,,:/home/steve:/bin/bash

samba-tool user show steve:

dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Steve SAB. Brandli
sn: Brandli
givenName: Steve
initials: SAB.
instanceType: 4
whenCreated: 20201005011138.0Z
displayName: Steve Brandli
uSNCreated: 5433
name: Steve SAB. Brandli
objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0
userAccountControl: 66048
codePage: 0
countryCode: 0
pwdLastSet: 132970435361910940
primaryGroupID: 513
objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103
accountExpires: 0
sAMAccountName: steve
sAMAccountType: 805306368
userPrincipalName: steve at domain.brandli.com<mailto:steve at
domain.brandli.com>
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com
uidNumber: 1000
gidNumber: 1000
memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=brandli,DC=com
whenChanged: 20250210010316.0Z
uSNChanged: 5640
lastLogonTimestamp: 133836229965179730
lastLogon: 133841460882236080
logonCount: 42
distinguishedName: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com

Stephen Brandli

2025-Feb-17 03:09 UTC

head link

[Samba] FW: Cannot access domain member from trusted domain user

More: users on the BRANDLILAW domain can access the share, but it's
incredibly slow.  In addition, smbd logs these errors repeatedly:

Feb 16 18:49:06 roberts smbd[136]:   check_account: Failed to convert SID
S-1-5-21-2136821272-1111453333-1140905514-1601 to a UID
(dom_user[BRANDLILAW\admin-fh$])
Feb 16 18:49:06 roberts smbd[136]: [2025/02/16 18:49:06.365450,  0]
source3/auth/auth_util.c:1945(check_account)

admin-fh is a machine name, not a user name.

	Steve

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Stephen
Brandli via samba
Sent: Sunday, February 16, 2025 4:18 PM
To: Stephen Brandli via samba <samba at lists.samba.org>
Subject: [Samba] Cannot access domain member from trusted domain user

I'm not able to access a samba file server that I recently created and
joined to a domain.  I have two domains with an external trust: BRANDLILAW and
BRANDLI.  The server is joined to BRANDLILAW.  I am trying to access it from a
user on the BRANDLI domain.  This worked with the prior server that the new
server is replacing.  All domain controllers and the server are Debian backports
(21.3).  The user can access a Windows 10 machine also joined to the BRANDLILAW
domain, and can also access a samba file server on the BRANDLI domain. 
"samba-tool domain trust validate" works correctly in both directions.

How do I debug this?  I would appreciate any pointers.

Log entries include:

smbd:
Feb 16 16:02:50 roberts smbd[514]:   check_account: Failed to convert SID
S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID
(dom_user[BRANDLI\steve])
Feb 16 16:02:52 roberts smbd[514]: [2025/02/16 16:02:52.332273,  0]
source3/auth/auth_util.c:1945(check_account)

winbind:
[2025/02/16 15:59:21.834790,  1, traceid=1674]
source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103:
NT_STATUS_NO_SUCH_DOMAIN
[2025/02/16 15:59:21.834852,  1, traceid=1674]
source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid)
  wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN.
[2025/02/16 15:59:21.834875,  1, traceid=1674]
source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc)
  Failed with NT_STATUS_NO_SUCH_DOMAIN.

I am also getting the error that secrets.ldb does not exist.  But the samba file
server on the BRANDLI domain is getting those errors, and I can access that.
smb.conf:

[global]
security = ads
workgroup = BRANDLILAW
realm = DOMAIN.BRANDLILAW.COM

log file = /var/log/samba/roberts.log
log level = 1

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config BRANDLI:backend = ad
idmap config BRANDLI:schema_mode = rfc2307 idmap config BRANDLI:range =
1000-1499 idmap config BRANDLI:unix_nss_info = no idmap config
BRANDLI:unix_primary_group = yes

idmap config BRANDLILAW:backend = ad
idmap config BRANDLILAW:schema_mode = rfc2307 idmap config BRANDLILAW:range =
1500-1999 idmap config BRANDLILAW:unix_nss_info = no idmap config
BRANDLILAW:unix_primary_group = yes

[Docs]
path = /home/shares/docs
writeable = yes
valid users = steve bj tabitha kim erin
force user = steve
force group = steve
force create mode = 770

The relevant passwd entry on the file server:
steve:x:1000:1000:,,,:/home/steve:/bin/bash

samba-tool user show steve:

dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Steve SAB. Brandli
sn: Brandli
givenName: Steve
initials: SAB.
instanceType: 4
whenCreated: 20201005011138.0Z
displayName: Steve Brandli
uSNCreated: 5433
name: Steve SAB. Brandli
objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0
userAccountControl: 66048
codePage: 0
countryCode: 0
pwdLastSet: 132970435361910940
primaryGroupID: 513
objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103
accountExpires: 0
sAMAccountName: steve
sAMAccountType: 805306368
userPrincipalName: steve at domain.brandli.com<mailto:steve at
domain.brandli.com>
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com
uidNumber: 1000
gidNumber: 1000
memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=brandli,DC=com
whenChanged: 20250210010316.0Z
uSNChanged: 5640
lastLogonTimestamp: 133836229965179730
lastLogon: 133841460882236080
logonCount: 42
distinguishedName: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Rowland Penny

2025-Feb-17 08:45 UTC

head link

[Samba] Cannot access domain member from trusted domain user

On Mon, 17 Feb 2025 00:17:40 +0000
Stephen Brandli via samba <samba at lists.samba.org> wrote:
> I'm not able to access a samba file server that I recently created
> and joined to a domain.  I have two domains with an external trust:
> BRANDLILAW and BRANDLI.  The server is joined to BRANDLILAW.  I am
> trying to access it from a user on the BRANDLI domain.  This worked
> with the prior server that the new server is replacing.  All domain
> controllers and the server are Debian backports (21.3).  The user can
> access a Windows 10 machine also joined to the BRANDLILAW domain, and
> can also access a samba file server on the BRANDLI domain.
> "samba-tool domain trust validate" works correctly in both
directions.
> 
> How do I debug this?  I would appreciate any pointers.
> 
> Log entries include:
> 
> smbd:
> Feb 16 16:02:50 roberts smbd[514]:   check_account: Failed to convert
> SID S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID
> (dom_user[BRANDLI\steve]) Feb 16 16:02:52 roberts smbd[514]:
> [2025/02/16 16:02:52.332273,  0]
> source3/auth/auth_util.c:1945(check_account)
> 
> winbind:
> [2025/02/16 15:59:21.834790,  1, traceid=1674]
> source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103:
> NT_STATUS_NO_SUCH_DOMAIN [2025/02/16 15:59:21.834852,  1,
> traceid=1674]
> source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid)
> wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN. [2025/02/16
> 15:59:21.834875,  1, traceid=1674]
> source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc) Failed with
> NT_STATUS_NO_SUCH_DOMAIN.
> 
> I am also getting the error that secrets.ldb does not exist.  But the
> samba file server on the BRANDLI domain is getting those errors, and
> I can access that. smb.conf:
> 
> [global]
> security = ads
> workgroup = BRANDLILAW
> realm = DOMAIN.BRANDLILAW.COM
> 
> log file = /var/log/samba/roberts.log
> log level = 1
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> 
> idmap config BRANDLI:backend = ad
> idmap config BRANDLI:schema_mode = rfc2307
> idmap config BRANDLI:range = 1000-1499
> idmap config BRANDLI:unix_nss_info = no
> idmap config BRANDLI:unix_primary_group = yes
> 
> idmap config BRANDLILAW:backend = ad
> idmap config BRANDLILAW:schema_mode = rfc2307
> idmap config BRANDLILAW:range = 1500-1999
> idmap config BRANDLILAW:unix_nss_info = no
> idmap config BRANDLILAW:unix_primary_group = yes
> 
> [Docs]
> path = /home/shares/docs
> writeable = yes
> valid users = steve bj tabitha kim erin
> force user = steve
> force group = steve
> force create mode = 770
> 
> The relevant passwd entry on the file server:
> steve:x:1000:1000:,,,:/home/steve:/bin/bash
> 
> samba-tool user show steve:
> 
> dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Steve SAB. Brandli
> sn: Brandli
> givenName: Steve
> initials: SAB.
> instanceType: 4
> whenCreated: 20201005011138.0Z
> displayName: Steve Brandli
> uSNCreated: 5433
> name: Steve SAB. Brandli
> objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0
> userAccountControl: 66048
> codePage: 0
> countryCode: 0
> pwdLastSet: 132970435361910940
> primaryGroupID: 513
> objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103
> accountExpires: 0
> sAMAccountName: steve
> sAMAccountType: 805306368
> userPrincipalName:
> steve at domain.brandli.com<mailto:steve at domain.brandli.com>
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com
> uidNumber: 1000 gidNumber: 1000 memberOf: CN=Domain
> Admins,CN=Users,DC=domain,DC=brandli,DC=com whenChanged:
> 20250210010316.0Z uSNChanged: 5640
> lastLogonTimestamp: 133836229965179730
> lastLogon: 133841460882236080
> logonCount: 42
> distinguishedName: CN=Steve SAB.
> Brandli,CN=Users,DC=domain,DC=brandli,DC=com
Try reading this:

https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial-en.pdf

I know it is a bit old now, but hopefully still relevant, if you are
lucky Stefan will chime in here, he is the one that wrote it.

Rowland

Reasonably Related Threads

Search for more reasonably related threads

samba - Feb 2025 - FW: Cannot access domain member from trusted domain user

[Samba] Cannot access domain member from trusted domain user

[Samba] FW: Cannot access domain member from trusted domain user

[Samba] Cannot access domain member from trusted domain user

Reasonably Related Threads