Problem: samba shares on memberservers not accessible

Problem:

Samba shares on memberservers not accessible.
UCS Samba/AD DCs use the file idmap.ldb for the assignment of objectSid to xidNumber (Posix UID/GID).
UCS Samba member servers primarily consult their domain controller for the assignment of objectSid to xidNumber and only if it does not know the answer, Winbind creates an object in OpenLDAP under cn=idmap from the member server. The objects under cn=idmap are analogous to the ones in /var/lib/samba/private/idmap.ldb.
The UCS member server with Samba3 attempts to convert the SID of the user or group into a Posix ID when a request is made in order to determine the authorisation at file level.

In /var/log/samba/log.smbd you find

[2022/03/28 16:45:19.374484,  0] ../../source3/auth/auth_util.c:1889(check_account)
  check_account: Failed to convert SID S-1-5-21-2615459141-2503667724-3635462610-1061706 to a UID (dom_user[SCHOOL+cscheini])
[2022/03/28 16:45:19.374514,  3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/03/28 16:45:19.374756,  3] ../../source3/smbd/server_exit.c:236(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

Investigation:

Check access with smbclient:

root@mb-01:~# smbclient //$(hostname -f)/print$ -U cscheini
Enter SCHOOL\cscheini's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Check wbinfo:

root@mb-01:~# wbinfo -n cscheini
S-1-5-21-2615459141-2503667724-3635462610-1061706 SID_USER (1)
root@mb355-01:~# wbinfo -S S-1-5-21-2615459141-2503667724-36354626104-1061706
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2615459141-2503667724-3635462610-1061706 to uid

Solution:

The problem here is, that the uid Number got out of the idmap range.
In /etc/samba/smb.conf you see the definition:

; idmap/winbind
ldap idmap suffix = cn=idmap,cn=univention
idmap config * : backend        = ldap
idmap config * : range          = 55000-64000
idmap config * : ldap_url       = ldap://dc01.schein.me:7389
idmap config * : ldap_user_dn   = cn=mb-01,cn=computers,ou=sun,dc=schein,dc=me
idmap config SCHOOL : backend = nss
idmap config SCHOOL : range = 1000-54999

This could be changed via ucr variable:

ucr set samba/idmap/range=550000-640000
ucr set samba/idmap/SCHOOL/range=1000-549999
/etc/init.d/samba restart
net cache flush
/etc/init.d/winbind restart
1 Like