[Samba] rid_idmap_get_id_from_sid: no suitable range available for sid

John jknappers-argentia at hotmail.com
Tue May 10 11:09:25 GMT 2005


I have the following message posted on the linux.samba newsgroup, but so far
no response. Therefore I try again in this group, hoping that there are
other people reading this group, and yes, that hopefully somebody can help
me with my samba winbind problems.

John Knappers


"John" <jknappers at nospam.hotmail.com> schreef in bericht
news:42805f47$0$55675$e4fe514c at news.xs4all.nl...
> Hello list,
> "John" <jknappers at nospam.hotmail.com> schreef in bericht
> news:427f81f8$0$53718$e4fe514c at news.xs4all.nl...
>> Hello,
>> I have some trouble with rid_idmap facility. STFI did'nt help me this
>> time..
>> Other issues I red about resolved to a too smal idmap range
>> specification.
>> But this an other issue..
>> It looks that the rid_idmap facility tries to map the sid's from
>> Administrators, Backup operators and several other build in groups to a
>> uid <330
>> Configuration:
>> OS Suse 9.1
>> Samba 3.0.14 backport from Suse
>> W2k3 DC in testlab is a NT4 domain upgrade
>> smb.conf snippet
>> workgroup DOM1
>> security = ADS
>> realm:    CORP.DOM1..COM
>> passwd server = *
>> Allow trusted domains = no
>> loglevel =3
>> winbind seperator = no
>> idmap backend = idmap_rid:DOM=330-100000
>> idmap uid = 330-100000
>> idmap gid = 330-100000
>> winbind use default domain = yes
>> etc
>> Joining the ADS domain goes smoothly
>> wbinfo -u gives list with domain users
>> wbinfo -n 'Domain Users' gives list SID  from domain Users
>> wbinfo -n 'Administrators' gives: Could not lookup name Administratos
>> wbinfo -n 'Backup Operators' gives: Could not lookup name Backup
>> Operators
>> id Administrator has  uid 1000 and lot's of guid's from different groups
>> he's member of, but not the guid from the Administrators and backup
>> operators group. I'm also getting log entries like
>> rid_idmap_get_id_from_sid: No available range availeble for sid.
>> It's difficult to paste complete logs at the moment, because the W2k dc
>> and samba ADS member are running in a isolated testlab.
>> Does anybody know what I'm missing or what's going wrong?
>> John Knappers
>> Argentia B.V.
>> The Netherlands
> Hello,
> A carefull look in the morning reveiled:
> The group Administrators / Powerusers ect are translated in samba to:
> BUILDIN/Administrators BUILDIN/Power users etc.
> But wbinfo -n BUILDIN/Administrators gives:
> S-1-5-32-544 Well-known Group (5)
> and wbinfo -Y  S-1-5-32-544 gives:
> Could not convert sid S-1-5-32-544 to gid...
> Are those sid's not very short? As I remembered the were much longer.
> It look that the Sid's from the BUILDIN groups are truncated!
> duh, how is that possible?
> A wbinfo -n 'Domain Admins' gives:
> S-1-5-21-431110786-547713429-883519231-512 Domain Group (2)
> and wbinfo -y S-1-5-21-431110786-547713429-883519231-512
> 1012
> Looking on the production network, that's still running a NT4 DC.
> The samba host there is running winbind without the idmap_rid facility.
> But there wbinfo -n 'BUILDIN/Administrators' also gives
> S-1-5-32-544 Well-known Group (5)
> becouse winbind is running without idmap_rid facility
> a wbinfo -Y S-1-5-32-544 resolves to
> 10063
> Does someone has any id what's going on here?
> regards,
> John Knappers
> Argentia B.V.
> The Netherlands
After a bit futher searching the internet I found some answers in the
following link:

There I did find out that the BUILDIN local group and some special groups
/users have always the same short SID
Built-In Local Groups
BUILTIN\ADMINISTRATORS         S-1-5-32-544          (=0x220)
BUILTIN\USERS                                S-1-5-32-545          (=0x221)
BUILTIN\GUESTS                             S-1-5-32-546          (=0x222)
BUILTIN\ACCOUNT OPERATORS  S-1-5-32-548          (=0x224)
BUILTIN\SERVER OPERATORS       S-1-5-32-549          (=0x225)
BUILTIN\PRINT OPERATORS        S-1-5-32-550          (=0x226)
BUILTIN\BACKUP OPERATORS   S-1-5-32-551          (=0x227)
BUILTIN\REPLICATOR                 S-1-5-32-552          (=0x228)
Special Groups
\CREATOR OWNER                     S-1-3-0
\EVERYONE                                  S-1-1-0
NT AUTHORITY\SYSTEM            S-1-5-18
NT AUTHORITY\authenticated users   S-1-5-11 *

Those SID's matches, with what I found on our samba system.

So, it's clear now, that those SID's are not accidentely truncated, but are
by design. How does this fit in the Samba rid_idmap?
Does anybody has a clue??


John Knappers
Argentia B.V.
The Netherlands

More information about the samba mailing list