[Samba] Samba3 : no suitable range available for sid - Samba

This is a discussion on [Samba] Samba3 : no suitable range available for sid - Samba ; I'm setting up a freebsd server which will authenticate against an Active Directory I mean: the server will NOT have any local users (except mandatory and minimum required for management and configuration) and will authenticate requests for login and access ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] Samba3 : no suitable range available for sid

  1. [Samba] Samba3 : no suitable range available for sid


    I'm setting up a freebsd server which will authenticate against an
    Active Directory
    I mean: the server will NOT have any local users (except mandatory and
    minimum
    required for management and configuration) and will authenticate requests
    for login and access
    FOR EVERY SERVICE against an Active Directory Server

    I have configured the samba service and currently I can
    login to local terminal, ssh, smtp and pop3 services using local or AD users
    and password. Each service authenticates correctly the user, first trying on
    AD domain then, if failing, validating against local passwd db


    The problem is that I get this error every 30 seconds

    rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-549

    I get this message for every builtin group in Active Directory Domain
    This error doesn't cause any problem or mulfunction to running services
    (ssh, smtp, pop3,
    etc).
    But it's really annoying and causes log file to grow up in size very very
    quickly

    as far as I can understand Samba is trying to associate BUILTIN groups with
    its local copy, but it doesn't have allowance for the operation (and in fact
    I do not want this)

    What can i do to stop this error from coming out every 30 seconds ?
    What have I missed in the configuration so that Samba try to copy the
    BUILTIN groups ?



    Here is my smbd configuration
    [global]
    workgroup = mydomain
    realm = mydomain.it
    security = ADS
    allow trusted domains = No
    idmap backend = idmap_ridMSWARE= 1000-100000
    idmap uid = 1000-100000
    idmap gid = 1000-100000
    template homedir = /home/%U
    template shell = /bin/sh
    winbind cache time = 3600
    winbind nested groups = Yes
    winbind use default domain = Yes
    syslog only = Yes

    # These scripts are used on a domain controller or stand-alone
    # machine to add or delete corresponding unix accounts
    add user script = /usr/sbin/pw useradd %u
    add group script = /usr/sbin/groupadd %g
    ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
    /dev/null -s /bin/false %u
    delete user script = /usr/sbin/pw userdel %u
    ; delete user from group script = /usr/sbin/deluser %u %g
    delete group script = /usr/sbin/pw groupdel %g




    and here is my PAM stack for /etc/pam.d/system
    # System-wide defaults
    #

    # auth
    auth sufficient pam_opie.so no_warn
    no_fake_prompts
    auth requisite pam_opieaccess.so no_warn allow_local
    auth sufficient pam_winbind.so try_first_pass
    #auth sufficient pam_krb5.so no_warn
    try_first_pass
    #auth sufficient pam_ssh.so no_warn
    try_first_pass
    auth required pam_unix.so no_warn
    try_first_pass nullok

    # account
    account required pam_winbind.so
    #account required pam_krb5.so
    account required pam_login_access.so
    account required pam_unix.so

    # session
    #session optional pam_ssh.so
    session required pam_lastlog.so no_fail

    # password
    password sufficient pam_winbind.so try_first_pass
    #password sufficient pam_krb5.so no_warn
    try_first_pass
    password required pam_unix.so no_warn
    try_first_pass



    thanks for every help or hint you can give me.


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. R: [Samba] Samba3 : no suitable range available for sid



    I'm setting up a freebsd server which will authenticate against an
    Active Directory
    I mean: the server will NOT have any local users (except mandatory and
    minimum
    required for management and configuration) and will authenticate requests
    for login and access
    FOR EVERY SERVICE against an Active Directory Server

    I have configured the samba service and currently I can
    login to local terminal, ssh, smtp and pop3 services using local or AD users
    and password. Each service authenticates correctly the user, first trying on
    AD domain then, if failing, validating against local passwd db


    The problem is that I get this error every 30 seconds

    rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-549

    I get this message for every builtin group in Active Directory Domain
    This error doesn't cause any problem or mulfunction to running services
    (ssh, smtp, pop3,
    etc).
    But it's really annoying and causes log file to grow up in size very very
    quickly

    as far as I can understand Samba is trying to associate BUILTIN groups with
    its local copy, but it doesn't have allowance for the operation (and in fact
    I do not want this)

    What can i do to stop this error from coming out every 30 seconds ?
    What have I missed in the configuration so that Samba try to copy the
    BUILTIN groups ?



    Here is my smbd configuration
    [global]
    workgroup = mydomain
    realm = mydomain.it
    security = ADS
    allow trusted domains = No
    idmap backend = idmap_ridMSWARE= 1000-100000
    idmap uid = 1000-100000
    idmap gid = 1000-100000
    template homedir = /home/%U
    template shell = /bin/sh
    winbind cache time = 3600
    winbind nested groups = Yes
    winbind use default domain = Yes
    syslog only = Yes

    # These scripts are used on a domain controller or stand-alone
    # machine to add or delete corresponding unix accounts
    add user script = /usr/sbin/pw useradd %u
    add group script = /usr/sbin/groupadd %g
    ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
    /dev/null -s /bin/false %u
    delete user script = /usr/sbin/pw userdel %u
    ; delete user from group script = /usr/sbin/deluser %u %g
    delete group script = /usr/sbin/pw groupdel %g




    and here is my PAM stack for /etc/pam.d/system
    # System-wide defaults
    #

    # auth
    auth sufficient pam_opie.so no_warn
    no_fake_prompts
    auth requisite pam_opieaccess.so no_warn allow_local
    auth sufficient pam_winbind.so try_first_pass
    #auth sufficient pam_krb5.so no_warn
    try_first_pass
    #auth sufficient pam_ssh.so no_warn
    try_first_pass
    auth required pam_unix.so no_warn
    try_first_pass nullok

    # account
    account required pam_winbind.so
    #account required pam_krb5.so
    account required pam_login_access.so
    account required pam_unix.so

    # session
    #session optional pam_ssh.so
    session required pam_lastlog.so no_fail

    # password
    password sufficient pam_winbind.so try_first_pass
    #password sufficient pam_krb5.so no_warn
    try_first_pass
    password required pam_unix.so no_warn
    try_first_pass



    thanks for every help or hint you can give me.


    ---------------------------------------------------------------------

    Any Help for this ????


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread