Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] troubleshoot samba - Could not convert sid - problem
1,205 views
Skip to first unread message
ML Wong
Jan 25, 2016, 12:40:03 PM1/25/16
to
Environment: try to join and setup simple file-share in a sub-domain off
from an AD forest which operates under 2008R2 forest, and domain functional
level; while keeping primary domain for SSH remote logins
Samba is running Version 3.6.23-24.el6_7 running on CentOS6.7. RPM based
'net ads join -k' , 'net ads keytab list', 'net testjoin -k' reflected
positive results. I can successfully join to the forest without any issues.
i also ran 'net ads status -k' to verify if a machine account can be
queried from the member server.
For example, When i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back
without issues. And, based on my privileges in AD, i can verify the SID is
equal as what i can see from ADUC. But, when i ran 'wbinfo -i
DOMAIN\\user1', i always get "Could not convert sid [the-long-SID]
NT_STATUS_NO_SUCH_USER" error in my samba.log (which i specify in my
smb.conf). I ran a series of Google search, most of the searches tell me
pointed out that this is mostly related to the "idmap" mis-configuration.
Each time i changed the range for idmap, i would 'net cache flush', and
'/bin/rm /var/lib/samba/*.tdb', and restarted nmb, smb, and winbind. But,
obviously, changing different ranges does not really help with our
environment.
Below is my smb.conf (with fake domain-names), can i ask where i should
look at for my troubleshooting: Any pointers and opinions will be
appreciated.
###
# Global Setting
###
[global]
realm = DOMAIN2.REGION2.MS.LOCAL
workgroup = DOMAIN2
netbios name = FS02
security = ADS
kerberos method = secrets and keytab
encrypt passwords = yes
#
idmap config * : backend = tdb
idmap config * : range = 1000000-9999999
idmap config DOMAIN2 : base_rid = 1000
idmap config DOMAIN2 : backend = rid
idmap config DOMAIN2 : range = 10000-999999
invalid users = root
#
winbind nss info = rfc2307
winbind trusted domains only = no
winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
#
load printers = no
printcap name = /dev/null
#
# Logging
#
log file = /var/log/samba/samba.log
log level = 9
max log size = 1048576
###
# Share Definitions
###
[testshare]
comment = samba cifs share test only
path = /opt/software
force group = "@DOMAIN2\sysadmins"
browsable = no
writable = yes
read only = no
force create mode = 0660
create mask = 0770
directory mask = 0770
force directory mode = 0770
access based share enum = yes
valid users = "@DOMAIN2\sysadmins"
admin users = "@DOMAIN2\sysadmins"
guest ok = no
hide unreadable = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
from an AD forest which operates under 2008R2 forest, and domain functional
level; while keeping primary domain for SSH remote logins
Samba is running Version 3.6.23-24.el6_7 running on CentOS6.7. RPM based
'net ads join -k' , 'net ads keytab list', 'net testjoin -k' reflected
positive results. I can successfully join to the forest without any issues.
i also ran 'net ads status -k' to verify if a machine account can be
queried from the member server.
For example, When i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back
without issues. And, based on my privileges in AD, i can verify the SID is
equal as what i can see from ADUC. But, when i ran 'wbinfo -i
DOMAIN\\user1', i always get "Could not convert sid [the-long-SID]
NT_STATUS_NO_SUCH_USER" error in my samba.log (which i specify in my
smb.conf). I ran a series of Google search, most of the searches tell me
pointed out that this is mostly related to the "idmap" mis-configuration.
Each time i changed the range for idmap, i would 'net cache flush', and
'/bin/rm /var/lib/samba/*.tdb', and restarted nmb, smb, and winbind. But,
obviously, changing different ranges does not really help with our
environment.
Below is my smb.conf (with fake domain-names), can i ask where i should
look at for my troubleshooting: Any pointers and opinions will be
appreciated.
###
# Global Setting
###
[global]
realm = DOMAIN2.REGION2.MS.LOCAL
workgroup = DOMAIN2
netbios name = FS02
security = ADS
kerberos method = secrets and keytab
encrypt passwords = yes
#
idmap config * : backend = tdb
idmap config * : range = 1000000-9999999
idmap config DOMAIN2 : base_rid = 1000
idmap config DOMAIN2 : backend = rid
idmap config DOMAIN2 : range = 10000-999999
invalid users = root
#
winbind nss info = rfc2307
winbind trusted domains only = no
winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
#
load printers = no
printcap name = /dev/null
#
# Logging
#
log file = /var/log/samba/samba.log
log level = 9
max log size = 1048576
###
# Share Definitions
###
[testshare]
comment = samba cifs share test only
path = /opt/software
force group = "@DOMAIN2\sysadmins"
browsable = no
writable = yes
read only = no
force create mode = 0660
create mask = 0770
directory mask = 0770
force directory mode = 0770
access based share enum = yes
valid users = "@DOMAIN2\sysadmins"
admin users = "@DOMAIN2\sysadmins"
guest ok = no
hide unreadable = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Jan 25, 2016, 1:00:05 PM1/25/16
to
workgroup = DOMAIN2
You also say <i ran 'wbinfo -n DOMAIN2\\user1`, i can get a SID back>,
you also say < i ran 'wbinfo -i DOMAIN\\user1'>
Is this a typo ? if not, I think this is your problem. smb.conf is setup
to obtain the info for DOMAIN2 and will ignore DOMAIN as it is not its
workgroup.
Rowland
Rowland penny
Jan 26, 2016, 5:20:05 AM1/26/16
to
On 26/01/16 00:32, ML Wong wrote:
> Thanks for the pointer, Rowland. But i don't think i have avahi-daemon
> running.
> $ sudo chkconfig --list | grep -i avahi
> $
> Any other thoughts?
>
> thanks,
> Melvin
>
>
The only other possible problem I can see is 'invalid users = root',
this is meant to be used in a share and you have it in [global].
You could also check what you have in /etc/krb5.conf and if
/etc/resolv.conf points to your AD DC. You could also check if the
firewall is running and if so, is it blocking a required port, you could
also check selinux.
> Thanks for the pointer, Rowland. But i don't think i have avahi-daemon
> running.
> $ sudo chkconfig --list | grep -i avahi
> $
> Any other thoughts?
>
> thanks,
> Melvin
>
>
The only other possible problem I can see is 'invalid users = root',
this is meant to be used in a share and you have it in [global].
You could also check what you have in /etc/krb5.conf and if
/etc/resolv.conf points to your AD DC. You could also check if the
firewall is running and if so, is it blocking a required port, you could
also check selinux.
ML Wong
Jan 27, 2016, 7:20:03 PM1/27/16
to
Kerberos - i can see the entries once i typed 'net ads keytab list' . Both
in the format 'host/*', and the 'hostname$' with different encryption
algorithm. DNS is a good pointer. i did use 'dig' to check all the SRV
records, (_ldap, _kpasswd, _kerberos, _gc) they all come back with good
answers. SELinux is disabled, and iptables is disabled for my
troubleshooting.
Rowland, to your knowledge, as i have debug level 10 turned on, below log
excerpt shows the member-server can find the SID from the AD, but could not
convert the SID to UID. Am i right? When i did the google search, it
usually means idmap configuration is out of range. But, i really doubt that
with the range of 10000-9999999 would be a problem. And, the thing which
puzzles me the most is when doing: "wbinfo -S
S-1-5-21-2122386970-1603999544-1328175400-27912" can convert the SID fine
to 36912 without an error. So, why does winbind still complain coverting ??
[2016/01/27 16:08:53.952847, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
in: struct wbint_QueryUser
sid : *
sid :
S-1-5-21-2122386970-1603999544-1328175400-27912
[2016/01/27 16:08:53.952932, 10]
winbindd/winbindd_cache.c:4950(wcache_fetch_ndr)
Entry has wrong sequence number: 121679380
[2016/01/27 16:08:53.955010, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : NULL
full_name : NULL
homedir : NULL
shell : NULL
primary_gid : 0x0000000000000000 (0)
user_sid : S-0-0
group_sid : S-0-0
result : NT_STATUS_NO_SUCH_USER
[2016/01/27 16:08:53.955221, 5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2122386970-1603999544-1328175400-27912:
NT_STATUS_NO_SUCH_USER
[2016/01/27 16:08:53.955264, 10] winbindd/winbindd.c:707(wb_request_done)
wb_request_done[15036:GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2016/01/27 16:08:53.955311, 10]
winbindd/winbindd.c:768(winbind_client_response_written)
winbind_client_response_written[15036:GETPWNAM]: delivered response to
client
[2016/01/27 16:08:53.955876, 6]
winbindd/winbindd.c:870(winbind_client_request_read)
closing socket 32, client exited
in the format 'host/*', and the 'hostname$' with different encryption
algorithm. DNS is a good pointer. i did use 'dig' to check all the SRV
records, (_ldap, _kpasswd, _kerberos, _gc) they all come back with good
answers. SELinux is disabled, and iptables is disabled for my
troubleshooting.
Rowland, to your knowledge, as i have debug level 10 turned on, below log
excerpt shows the member-server can find the SID from the AD, but could not
convert the SID to UID. Am i right? When i did the google search, it
usually means idmap configuration is out of range. But, i really doubt that
with the range of 10000-9999999 would be a problem. And, the thing which
puzzles me the most is when doing: "wbinfo -S
S-1-5-21-2122386970-1603999544-1328175400-27912" can convert the SID fine
to 36912 without an error. So, why does winbind still complain coverting ??
[2016/01/27 16:08:53.952847, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
in: struct wbint_QueryUser
sid : *
sid :
S-1-5-21-2122386970-1603999544-1328175400-27912
[2016/01/27 16:08:53.952932, 10]
winbindd/winbindd_cache.c:4950(wcache_fetch_ndr)
Entry has wrong sequence number: 121679380
[2016/01/27 16:08:53.955010, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : NULL
full_name : NULL
homedir : NULL
shell : NULL
primary_gid : 0x0000000000000000 (0)
user_sid : S-0-0
group_sid : S-0-0
result : NT_STATUS_NO_SUCH_USER
[2016/01/27 16:08:53.955221, 5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2122386970-1603999544-1328175400-27912:
NT_STATUS_NO_SUCH_USER
[2016/01/27 16:08:53.955264, 10] winbindd/winbindd.c:707(wb_request_done)
wb_request_done[15036:GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2016/01/27 16:08:53.955311, 10]
winbindd/winbindd.c:768(winbind_client_response_written)
winbind_client_response_written[15036:GETPWNAM]: delivered response to
client
[2016/01/27 16:08:53.955876, 6]
winbindd/winbindd.c:870(winbind_client_request_read)
closing socket 32, client exited
0 new messages