samba - Mar 2025 - Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED every time sudo is executed

I recently upgraded my Samba Domain Member server that provides a share for
Windows clients to write their backups to. The backup clients use an AD
credential to connect to the share, so individuals are not connecting to the
share. This works well and has for years. However, when I upgraded to Samba
v4.21.3 (built from source, same distro as my Samba AD DCs), I started
getting my logs cluttered up with errors:

 

Mar 25 12:21:29 hennessy winbindd[18349]: [2025/03/25 12:21:29.129086,  1,
traceid=53]
../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroups_recv)

Mar 25 12:21:29 hennessy winbindd[18349]:  Could not convert sid S-0-0:
NT_STATUS_NONE_MAPPED

 

These messages appear whenever any sudo command is executed on the system. I
am using the rid backend and setup the server as per
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

 

 

I figure I missed something simple. Any ideas how I can make these stop?

 

 

This did not happen on my old server with this config which was running
Rocky Linux 8.10 and Samba 4.14.11. Current server with the problem is on
Rocky Linux 9.5 and Samba 4.21.3

 

 

[root at hennessy ~]# testparm -s

Load smb config files from /usr/local/samba/etc/smb.conf

Loaded services file OK.

Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

 

Server role: ROLE_DOMAIN_MEMBER

 

# Global parameters

[global]

        dedicated keytab file = /etc/krb5.keytab

        disable netbios = Yes

        disable spoolss = Yes

        load printers = No

        local master = No

        log file = /var/log/samba/SL-%m.log

        logging = syslog at 2 file

        preferred master = No

        printcap name = /dev/null

        realm = KNADA.LAN.KITSNET.US

        security = ADS

        server min protocol = SMB2

        winbind refresh tickets = Yes

        winbind use default domain = Yes

        workgroup = KNADA

        fruit:delete_empty_adfiles = yes

        fruit:wipe_intentionally_left_blank_rfork = yes

        fruit:veto_appledouble = no

        fruit:posix_rename = yes

        fruit:model = MacSamba

        fruit:metadata = stream

        idmap config knada:range = 10000-999999

        idmap config knada:backend = rid

        idmap config * : range = 3000-7999

        idmap config * : backend = tdb

        map acl inherit = Yes

        printing = bsd

        vfs objects = acl_xattr catia fruit streams_xattr

 

 

[Backups]

        access based share enum = Yes

        comment = Network backup repository

        create mask = 0700

        directory mask = 0750

        force create mode = 0400

        force directory mode = 0500

        path = /backups/Windows

        read only = No

        valid users = @KNADA\KNBackupOps "@KNADA\Domain Admins" 

 

[iOS]

        access based share enum = Yes

        comment = Backup repository for iOS devices

        create mask = 0700

        directory mask = 0750

        force create mode = 0400

        force directory mode = 0500

        path = /backups/iOS

        read only = No

        valid users = @KNADA\KNBackupOps "@KNADA\Domain Admins"

On Tue, 25 Mar 2025 12:28:07 -0400
smodep--- via samba <samba at lists.samba.org> wrote:
> I recently upgraded my Samba Domain Member server that provides a
> share for Windows clients to write their backups to. The backup
> clients use an AD credential to connect to the share, so individuals
> are not connecting to the share. This works well and has for years.
> However, when I upgraded to Samba v4.21.3 (built from source, same
> distro as my Samba AD DCs), I started getting my logs cluttered up
> with errors:
> 
>  
> 
> Mar 25 12:21:29 hennessy winbindd[18349]: [2025/03/25
> 12:21:29.129086,  1, traceid=53]
> ../../source3/winbindd/winbindd_getgroups.c:262(winbindd_getgroups_recv)
> 
> Mar 25 12:21:29 hennessy winbindd[18349]:  Could not convert sid
> S-0-0: NT_STATUS_NONE_MAPPED
> 
>  
> 
> These messages appear whenever any sudo command is executed on the
> system. I am using the rid backend and setup the server as per
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
>  
> 
>  
> 
> I figure I missed something simple. Any ideas how I can make these
> stop?
> 
Try upgrading Samba.
The easiest way would be to use the Tranquil IT packages, see here:

https://samba.tranquil.it/doc/en/samba_config_server/redhat/server_install_samba_redhat.html

Rowland