SID <-> UID/GID mapping

Alexander Welter welter at
Thu Dec 1 21:31:57 GMT 2005

Hi *,

I recently ran into a problem regarding the name resolution of a Solaris 
box running Samba 3.0.20b. I hope some of you have a hint how to fix it....

It's a Solaris9 box running Samba 3.0.20b. Samba is configure to be 
domain member. The smb.conf, everything else is distribution default:

        dos charset = CP850
        display charset = UTF8
        workgroup = MYWG
        netbios name = SMB3TEST
        server string = Test_Samba_3-0-20
        interfaces =
        security = DOMAIN
        password server = DC00002 DC00001
        passdb backend = tdbsam
        log level = 3 winbind:9
        log file = /var/log/samba/smbd.log
        max log size = 500
        name resolve order = host wins lmhosts bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind use default domain = Yes
        winbind nested groups = Yes

        comment = New Test Share
        path = /var/tmp/testshare
        admin users = @Administrators
        write list = @MYWG\251
        create mask = 0666
        directory mask = 02777

The nsswitch.conf for user id's and group id's

passwd: files winbind [notfound=return]
group: files winbind [notfound=return]

 From the WinX client perspective everything is fine. The problem pops 
up, if you're logged in on the Unix side and go to one of the SMB shared 
user directories. Type an 'ls -l' and it doesn't return.
My explenation is - smb is mapping Win user according to the idmap, so 
here UIDs 10000-20000, same for the groups. When you execute the ls -l 
on the Unix side the name service tries to resolve the IDs like 10238 to 
a name. Since the IDs are artificial and only known to Samba, the local 
nameservice does not find an entry in local file and quereies winbind, 
which quereies the PDC in turn. The PDC seems not to answer at all and 
the 'ls -l' got stuck :-( The notfound=return seems to have no effect.
The PDC itself is just a gateway to an ADS. I'm not a WinX man, so may 
be the problem is within the PDC/ADS configuration?

Thanx a lot for any igniting idea,



UniCon - Unix Consultants               email: welter at
Alexander Welter                        Tel  :         +49-431-577066
Senior Datacenter Consultant            FAX  :         +49-431-577067
Wilhelmshavener Str. 6                  Cell :        +49-171-8250022
24105 Kiel                              http :

More information about the samba-technical mailing list