[Samba] question about sids and ads auth

Jason Gerfen jason.gerfen at scl.utah.edu
Wed Jun 4 16:54:28 GMT 2008 

John H Terpstra wrote:
> On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
>> Ok so I have a problem and I am trying to figure something out in
>> regards to samba ads authentication, winbindd sid to uid/gid mapping and
>> why some domain accounts can map the samba share from linux and windows
>> when others cannot.
>>
>> I have a few domain users that when they try to map a samba share when
>> the authentication takes place fine, the uid/gid seems to work, but in
>> the log.winbind-idmap I see the following lines:
>>
>>    idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
>>    sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
>> gid [2,2,2279459400]
> 
> Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the 
> Samba server. In other words, is it the same as the output of:
> 
> 	net getlocalsid

No, not the same output.

> 
> If not, then the above is a foreign SID and needs to be handled appropriately.
> 
> The RID is the last value in the SID sequence of fields.  The RID=513 is 
> the "Domain Users" group well known account value.  In fact, if you look at 
> the log is says it could not resolve the sid_to_gid (that means it could not 
> resolve the group ID to a local UNIX GID.

Just picked up on this portion of the SID

> 
> If the domain SID is the same as your Samba server SID, this would suggest 
> that if you execute "net groupmap list" you see that there is no mapping of 
> the Windows group "Domain Users" to a UNIX group.  You need to create it as 
> follows:
> 
> net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513

Was performed.

> 
> If the SID is not the same as your Samba server SID, then you need to do one 
> of two things:
> 
> a) Configure Samba to resolve all foreign domain SIDs as if they are local. 
> You can do this by adding to smb.conf [globals]
> 	winbind user default domain = yes
> 

winbind use default domain = yes? not sure if 'user' is a typo.

> _OR_
> 
> b) You can configure the IDMAP backend appropriately for your version of Samba 
> so it will allocate local UIDs and GIDs for all foreign SIDs.
> 

I currently have the following configured for my AD users:
idmap config SCL:backend = ad

>> But if I do a winbind -n USERNAME I get the following sid
>> S-1-5-21-2868754479-89028146-2101856903-88482
> 
> That looks like a user account. What is the UID for this user?

1000011, this user actually is able to authenticate through AD as well 
as map the drive. I am currently having a problem with some users not 
able to map the drive due to 'error 67 occured' when running 'net use x: 
\\server\share' from windows clients.

> 
>> As you can see they do not match up, is the sid listed in the log a
>> system account like the netlogon or perhaps the trusted domain account
>> sid or something?
> 

I have been looking through AD users in the CN=Users container and seem 
to have some discrepancies with my rfc2307 attributes, let me modify 
those and test some more.

> It is a group account, not a user account. If you create a file as that user, 
> what is the  ownership and group (under UNIX) of the resulting file?
> 
> - John T.


-- 
Jas

More information about the samba mailing list