How to fix the RID un-map issue (Some AD user can login samba and others can’t)
Posted by Daniel Orme on 17 November 2013 05:44 PM
|
|
Rid un-map issue
Overview This is caused by the idmap_rid method transforming rid to uid within a predefined range. Every customer has a different sid deployment in their AD server, so it is possible to fall outside the QNAP predefined range.
The un-map issue is commonly occurring in very large AD environments with many users/objects. In this case the sid is larger than the rid range in the QNAP specified configuration.
This causes Samba can NOT convert uid from sid and consequently the sid owner can NOT login with Samba.
Symptom Some AD domain users are able to login and access the NAS via Samba protocol. But some AD domain users will be denied access and unable to login.
How to verify the case:
1. Some user can login samba and others can’t 2. Login to the NAS on SSH connection 3. Enable Samba debug mode by editing /etc/config/smb.conf Add the lines in the [global] section: max log size = 2000 4. Restart Samba with the command /etc/init.d/smb.sh restart 5. Type the command echo "" > /var/log/samba/locks/log. 6. Get user info with command: getent passwd $username
Note: $username should be of the form domain+username
7. Check the debug log: grep NT_STATUS_NONE_MAPPED /var/log/samba/locks/log.
If the output is
Could not convert sid S-1-5-21-2955218265-
That means this is rid un-map case. We can fix it by modifying the rid range (see SOP below)
8. Disable Samba debug mode by editing /etc/config/smb.conf change max log size = 10 and remove log level = 5 9. Restart Samba with the command /etc/init.d/smb.sh restart
SOP to fix rid un-map issue * The rid range can't be less than 30001 or more than 4294967296 (2^32) and any overlap is not allowed * Please modify the rid range to fit the environment
3. Rejoin the NAS into the AD
| |
|