string_to_sid: SI is not in a valid format

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

string_to_sid: SI is not in a valid format

Samba - General mailing list
Hello,

On AD domain member in both versions of samba 4.6.11 and 4.7.3 I'm getting
a lot of following messages:

[2017/12/28 15:54:03.838907,  3]
../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
  string_to_sid: SID msavin is not in a valid format

msavin is my user name:

# wbinfo -n msavin
S-1-5-21-508332004-1178028025-157424832-1273 SID_USER (1)
# wbinfo  --lookup-sids S-1-5-21-508332004-1178028025-157424832-1273
S-1-5-21-508332004-1178028025-157424832-1273 -> <none>\mattiasz 1

From smb.conf:

   winbind use default domain = true
   winbind offline logon = false
   disable netbios = yes
   winbind trusted domains only = no
   allow trusted domains = no

Any reason?

Thank you,
Matt
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: string_to_sid: SI is not in a valid format

Samba - General mailing list
On Thu, 28 Dec 2017 16:44:26 -0500
Matt Savin via samba <[hidden email]> wrote:

> Hello,
>
> On AD domain member in both versions of samba 4.6.11 and 4.7.3 I'm
> getting a lot of following messages:
>
> [2017/12/28 15:54:03.838907,  3]
> ../libcli/security/dom_sid.c:210(dom_sid_parse_endp)
>   string_to_sid: SID msavin is not in a valid format
>
> msavin is my user name:
>
> # wbinfo -n msavin
> S-1-5-21-508332004-1178028025-157424832-1273 SID_USER (1)
> # wbinfo  --lookup-sids S-1-5-21-508332004-1178028025-157424832-1273
> S-1-5-21-508332004-1178028025-157424832-1273 -> <none>\mattiasz 1
>
> From smb.conf:
>
>    winbind use default domain = true
>    winbind offline logon = false
>    disable netbios = yes
>    winbind trusted domains only = no
>    allow trusted domains = no
>
> Any reason?
>

Please post the rest of the [global] part of your smb.conf

What is the DC ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: string_to_sid: SI is not in a valid format

Samba - General mailing list

First, can you please keep this onlist.

On Thu, 28 Dec 2017 20:36:19 -0500
Matt Savin <[hidden email]> wrote:

> Rowland,
>
> Thank you for your reply. Below is a global part of the smb.conf file:
>
> [global]
>   workgroup = DOMAINNAME
>   security = ads
>   realm = DOMAINNAME.LOCAL
>   kerberos method = secrets and keytab
>   kerberos encryption types = all
>   dedicated keytab file = /etc/krb5.keytab
>
>   nt pipe support = no
>
>   netbios name = HOSTNAME
>   disable netbios = yes
>   local master = no
>   smb ports = 445
>   dns proxy = no
>
>   encrypt passwords = yes
>   ldap server require strong auth = no
>   client ldap sasl wrapping = plain
>
>   idmap config * : range = 16777216-33554431
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config DOMAINNAME:backend = ad
>   idmap config DOMAINNAME:schema_mode = rfc2307
>   idmap config DOMAINNAME:range = 80001-3100000
>   idmap config DOMAINNAME:unix_primary_group = yes
>   idmap config DOMAINNAME:unix_nss_info = yes
>
>   winbind refresh tickets = Yes
>   winbind use default domain = true
>   winbind trusted domains only = no
>   winbind offline logon = false
>   winbind nss info = rfc2307
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind expand groups = 1
>   allow trusted domains = no
>
>   inherit permissions = yes
>   acl allow execute always = yes
>   follow symlinks = yes
>   wide links = yes
>   unix extensions = no
>   hide dot files = no
>   map archive = no
>
>   load printers = no
>   printing = bsd
>   printcap name = /dev/null
>   disable spoolss = yes
>
>   log level = 3
>
> Please let me know if you have any questions.
>
> Thank you,
> Matt
>
>

You might as well remove these, they are either default settings,duplicates or plain shouldn't be there.

  encrypt passwords = yes
  ldap server require strong auth = no
  client ldap sasl wrapping = plain
  idmap config * : range = 16777216-33554431
  winbind trusted domains only = no
  winbind offline logon = false
  winbind nss info = rfc2307
  winbind enum users  = yes
  winbind enum groups = yes
  follow symlinks = yes


These, whilst valid, should really be in shares.

  inherit permissions = yes
  acl allow execute always = yes
  wide links = yes
  hide dot files = no
  map archive = no

Other than that, there doesn't seem to be anything else wrong, as long
as you have given your users a uidNumber containing a unique id inside
the 80001-3100000 range, you have also given them a gidNumber attribute
containing a number inside the same range. This gidNumber must be the
gidNumber of a group and this group will be used as the users primary
group instead of Domain Users.

If everything is correct, then you need to search AD for the two names
and see what you get.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: string_to_sid: SI is not in a valid format

Samba - General mailing list
Rowland,

Sorry for the personal reply: my email default is set to reply to the
sender only.
Removing all the lines from smb.conf you suggested didn't resolve the
issue, still getting the same messages in the log.
I'll have to put back:
winbind enum users = yes
winbind enum groups = yes

because without these lines commands:
getent passwd
getent group

return only local passwd and group entries, I prefer it to list AD entries
also.

Any other suggestions?

Thank you very much for your help,
Matt

On Fri, Dec 29, 2017 at 5:20 AM, Rowland Penny via samba <
[hidden email]> wrote:

>
> First, can you please keep this onlist.
>
> On Thu, 28 Dec 2017 20:36:19 -0500
> Matt Savin <[hidden email]> wrote:
>
> > Rowland,
> >
> > Thank you for your reply. Below is a global part of the smb.conf file:
> >
> > [global]
> >   workgroup = DOMAINNAME
> >   security = ads
> >   realm = DOMAINNAME.LOCAL
> >   kerberos method = secrets and keytab
> >   kerberos encryption types = all
> >   dedicated keytab file = /etc/krb5.keytab
> >
> >   nt pipe support = no
> >
> >   netbios name = HOSTNAME
> >   disable netbios = yes
> >   local master = no
> >   smb ports = 445
> >   dns proxy = no
> >
> >   encrypt passwords = yes
> >   ldap server require strong auth = no
> >   client ldap sasl wrapping = plain
> >
> >   idmap config * : range = 16777216-33554431
> >   idmap config *:backend = tdb
> >   idmap config *:range = 70001-80000
> >   idmap config DOMAINNAME:backend = ad
> >   idmap config DOMAINNAME:schema_mode = rfc2307
> >   idmap config DOMAINNAME:range = 80001-3100000
> >   idmap config DOMAINNAME:unix_primary_group = yes
> >   idmap config DOMAINNAME:unix_nss_info = yes
> >
> >   winbind refresh tickets = Yes
> >   winbind use default domain = true
> >   winbind trusted domains only = no
> >   winbind offline logon = false
> >   winbind nss info = rfc2307
> >   winbind enum users  = yes
> >   winbind enum groups = yes
> >   winbind expand groups = 1
> >   allow trusted domains = no
> >
> >   inherit permissions = yes
> >   acl allow execute always = yes
> >   follow symlinks = yes
> >   wide links = yes
> >   unix extensions = no
> >   hide dot files = no
> >   map archive = no
> >
> >   load printers = no
> >   printing = bsd
> >   printcap name = /dev/null
> >   disable spoolss = yes
> >
> >   log level = 3
> >
> > Please let me know if you have any questions.
> >
> > Thank you,
> > Matt
> >
> >
>
> You might as well remove these, they are either default
> settings,duplicates or plain shouldn't be there.
>
>   encrypt passwords = yes
>   ldap server require strong auth = no
>   client ldap sasl wrapping = plain
>   idmap config * : range = 16777216-33554431
>   winbind trusted domains only = no
>   winbind offline logon = false
>   winbind nss info = rfc2307
>   winbind enum users  = yes
>   winbind enum groups = yes
>   follow symlinks = yes
>
>
> These, whilst valid, should really be in shares.
>
>   inherit permissions = yes
>   acl allow execute always = yes
>   wide links = yes
>   hide dot files = no
>   map archive = no
>
> Other than that, there doesn't seem to be anything else wrong, as long
> as you have given your users a uidNumber containing a unique id inside
> the 80001-3100000 range, you have also given them a gidNumber attribute
> containing a number inside the same range. This gidNumber must be the
> gidNumber of a group and this group will be used as the users primary
> group instead of Domain Users.
>
> If everything is correct, then you need to search AD for the two names
> and see what you get.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: string_to_sid: SI is not in a valid format

Samba - General mailing list
On Fri, 29 Dec 2017 12:54:27 -0500
Matt Savin <[hidden email]> wrote:

> Rowland,
>
> Sorry for the personal reply: my email default is set to reply to the
> sender only.
> Removing all the lines from smb.conf you suggested didn't resolve the
> issue, still getting the same messages in the log.
> I'll have to put back:
> winbind enum users = yes
> winbind enum groups = yes
>
> because without these lines commands:
> getent passwd
> getent group
>
> return only local passwd and group entries, I prefer it to list AD
> entries also.

No, but 'getent passwd ausername' would, also having the lines slows
things down.

>
> Any other suggestions?
>

> >
> > If everything is correct, then you need to search AD for the two
> > names and see what you get.
> >

Have you done the above ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: string_to_sid: SI is not in a valid format

Samba - General mailing list
Rowland,

I'm very sorry for the confusion, it's my fault: copy/pasted wrong line. In
the original message it should have been:
# wbinfo -n msavin
S-1-5-21-508332004-1178028025-157424832-1273 SID_USER (1)
# wbinfo  --lookup-sids S-1-5-21-508332004-1178028025-157424832-1273
S-1-5-21-508332004-1178028025-157424832-1273 -> <none>\msavin 1

and it's the same now. There are no problems with UIDs, GIDs and user
names, authentication working fine, it's just strange messages in the log
file, which I didn't have when using 4.4.x.

Regards,
Matt


On Fri, Dec 29, 2017 at 1:20 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Fri, 29 Dec 2017 12:54:27 -0500
> Matt Savin <[hidden email]> wrote:
>
> > Rowland,
> >
> > Sorry for the personal reply: my email default is set to reply to the
> > sender only.
> > Removing all the lines from smb.conf you suggested didn't resolve the
> > issue, still getting the same messages in the log.
> > I'll have to put back:
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > because without these lines commands:
> > getent passwd
> > getent group
> >
> > return only local passwd and group entries, I prefer it to list AD
> > entries also.
>
> No, but 'getent passwd ausername' would, also having the lines slows
> things down.
>
> >
> > Any other suggestions?
> >
>
> > >
> > > If everything is correct, then you need to search AD for the two
> > > names and see what you get.
> > >
>
> Have you done the above ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba