[Samba] winbind: SID_TO_UID not working for trusted domains?

Marc Schiffbauer marc at schiffbauer.net
Mon Jan 31 16:54:44 GMT 2005

Hi all,

I have a problem with the mapping sid -> uid.


 * Samba 3.0.10, security = ads, role is ads member server.
 * Several trusted domains
 * ADS is in sync with an Openldap server (posixAccount)
 * winbind must not use idmap (Because every Winuser already has
   an uid which is in ADs and on the Ldap server)

Lets say we have one global domain GLOBAL and several subdomains
A,B,C and D.

Samba is member of A (workgroup = A) and B,C and D are all trusted.

I test sid to uid mapping using wbinfo:

wbinfo -S <sid> only works for users in domain A.

if I try 

  wbinfo -S <sid of user in B>

I get this:
Could not convert sid <users sid> to uid

As a result, users in other domains than A cannot be added to file
ACLs because Samba cannot find the correct uid belonging to a sid.

Can this be related to the following?

  wbinfo -n <user> only works for domain A.

to get

  wbinfo -n <user in B>

working I have to tell the domain like:

  wbinfo -n 'B\<user in B>'

Any hints? Thanks in advance! I have tested several setting, but I
am clueless now.. :-(
And please tell me if you need further infos..

This is the smb.conf's global section:

        netbios aliases = <some aliases>
        password server = pdc01, pdc02, *
        workgroup = A        
        security = ads 
        realm = A.GLOBAL
        interfaces = eth0        
        bind interfaces only = true        
        load printers = no        
        unix charset = LOCALE        
        domain master = no 
        local master = no        

        # smb ports: default is "139 445"        
        # but: if we listen on 445, %L is not available        
        smb ports = 139 

        wins server = 
        name resolve order = wins bcast        
        ldap filter = (&(uid=%u)(objectclass=posixAccount))        
        ldap admin dn = <admin dn>
        winbind trusted domains only = yes        
        winbind use default domain = no 
        winbind cache time = 0             


More information about the samba mailing list