Knowledgebase
How to fix the RID un-map issue (Some AD user can login samba and others can’t)
Posted by Daniel Orme on 17 November 2013 05:44 PM

Rid un-map issue

 

Overview

This is caused by the idmap_rid method transforming rid to uid within a predefined range. Every customer has a different sid deployment in their AD server, so it is possible to fall outside the QNAP predefined range.

 

The un-map issue is commonly occurring in very large AD environments with many users/objects. In this case the sid is larger than the rid range in the QNAP specified configuration.

 

This causes Samba can NOT convert uid from sid and consequently the sid owner can NOT login with Samba.

 

Symptom

Some AD domain users  are able to login and access the NAS via Samba protocol. But some AD domain users will be denied access and unable to login.

 

How to verify the case:

 

1.      Some user can login samba and others can’t

2.      Login to the NAS on SSH connection

3.      Enable Samba debug mode by editing /etc/config/smb.conf

         Add the lines in the [global] section:

         max log size = 2000
         log level = 5

4.      Restart Samba with the command /etc/init.d/smb.sh restart

5.      Type the command echo "" > /var/log/samba/locks/log.winbindd

6.      Get user info with command: getent passwd $username

 

         Note: $username should be of the form domain+username

 

7.      Check the debug log:

         grep NT_STATUS_NONE_MAPPED /var/log/samba/locks/log.winbindd

 

If the output is

 

Could not convert sid S-1-5-21-2955218265-1157584905-67984036-xxxxx: NT_STATUS_NONE_MAPPED

 

That means this is rid un-map case.

We can fix it by modifying the rid range (see SOP below)

 

8.      Disable Samba debug mode by editing /etc/config/smb.conf

         change max log size = 10

         and remove log level =  5

9.      Restart Samba with the command /etc/init.d/smb.sh restart

 

 

SOP to fix rid un-map issue
1. NAS Firmware version should be at least 3.8.x
2. Modify rid range; We provide two methods to modify rid range:

Edit /etc/config/uLinux.conf
In the [Samba] section, add/edit the following lines:
System_Rid_Range = 30000-500000
Main_Domain_Rid_Range = 50000000-600000000
Trust_Domain_User_Index = 70000000
Max_User_Per_Domain=1000000
Max_Trust_Domain=5

Note:

* The rid range can't be less than 30001 or more than 4294967296 (2^32) and any overlap is not allowed

* Please modify the rid range to fit the environment

 

3. Rejoin the NAS into the AD
4. Reconfigure the share permissions and ACL as needed.

 

(2 vote(s))
Helpful
Not helpful

Comments (0)