[Samba] SID-UID mapping issue on Samba 3.0.4 in an AD Domain

Jason C. Waters jwaters at h2os.com
Sat Jun 12 02:20:34 GMT 2004

Does "getent group" and "getent passwd" return the users and groups?  If 
it doesn't I'm guessing that you didn't copy the libnss_winbind.so to 
your /lib directory and then create a symbolic link, ln -s 
/lib/libnss_winbind.so /lib/libnss_winbind.so.x, where x is the version 
of nss you use...I think.  I put 2 and it works but you can try 0,1, or 
2 I think.  Hope this helps

fx.cormontagne at howen.be wrote:

>I have problems with SID to UID mapping using winbind on a FreeBSD 5.2/Samba 
> as a member server of a Win2k domain controller. I use heimdal-0.6.1 for 
>I would like my XP machines in the domain to use the share with the user 
>defined in Active Directory.
>At a first glance it seems to work: the connection to the share succeeds 
>without a
>prompt for a password. Users may create, read, modify and delete files or 
>But the ACLs do not show domain accounts but local accounts: those accounts have
>the SAME NAME as the domain account BUT they bear the name of the SAMBA machine
>instead of the name of the domain.
>Here are my conf files:
>----- smb.conf -----
> security = ADS
> realm = windom
> netbios name = SAMBA
> workgroup = WINDOM
> encrypt passwords=yes
> password server = *
> obey pam restrictions = yes
> winbind cache time = 120
> template shell = /sbin/nologin
> template homedir = /none
> idmap uid = 10000-19999
> idmap gid = 10000-19999
> winbind nested groups = yes
> winbind separator = +
> path=/smbroot/theshare
> read only=no
>------ nsswitch.conf ---
>passwd: files winbind
>group:  files winbind
>------ pam.d/samba ----
>auth required pam_winbind.so    debug
>account required pam_winbind.so
> pam_winbind.so is only present in pam.d/samba
>wbinfo -u
>wbinfo -g
>  work fine
>pw user show -a   # this lists all the user account in a passwd format
>  shows all local and domain accounts (WINDOM+domuser:*:10021:10010:...)
>Then I log into an XP machine as domuser at WINDOM
>I open the network location: \\samba\theshare
>I create some file, and I edit its properties I find in the ACL and as the owner
>of the file:
>   domuser(SAMBA\domuser)
>Then I log on the console of the Samba server as root, and
>$ ls -ln /smbroot/theshare/dummyfile.txt
>  gives a UID of 10034 as the owner
>pw user show -u 10034
>  returns:
>again I type: pw user show -a
>  all the domain users are present but domuser:*:10034 does not
>  appear in the list
>When I turn on: winbind trusted domains only = yes
>  I get a login screen when I want to connect to the share
>  and log.smbd tells:
>     smbd/sesssetup.c:reply_spnego_kerberos(248) 
>        Username WINDOM+domuser is invalid on this system
>  while log.winbind says:
>     nsswitch/winbindd_acct.c:winbindd_create_user(884)
>        winbindd_create_user: Refusing to create user that already exists 
>It is not clear to me if it is a kerberos or a winbind problem.
>Has someone a clue?

More information about the samba mailing list