[Samba] rid_idmap_get_id_from_sid: no suitable range available for
jknappers-argentia at hotmail.com
Tue May 10 11:09:25 GMT 2005
I have the following message posted on the linux.samba newsgroup, but so far
no response. Therefore I try again in this group, hoping that there are
other people reading this group, and yes, that hopefully somebody can help
me with my samba winbind problems.
"John" <jknappers at nospam.hotmail.com> schreef in bericht
news:42805f47$0$55675$e4fe514c at news.xs4all.nl...
> Hello list,
> "John" <jknappers at nospam.hotmail.com> schreef in bericht
> news:427f81f8$0$53718$e4fe514c at news.xs4all.nl...
>> I have some trouble with rid_idmap facility. STFI did'nt help me this
>> Other issues I red about resolved to a too smal idmap range
>> But this an other issue..
>> It looks that the rid_idmap facility tries to map the sid's from
>> Administrators, Backup operators and several other build in groups to a
>> uid <330
>> OS Suse 9.1
>> Samba 3.0.14 backport from Suse
>> W2k3 DC in testlab is a NT4 domain upgrade
>> smb.conf snippet
>> workgroup DOM1
>> security = ADS
>> realm: CORP.DOM1..COM
>> passwd server = *
>> Allow trusted domains = no
>> loglevel =3
>> winbind seperator = no
>> idmap backend = idmap_rid:DOM=330-100000
>> idmap uid = 330-100000
>> idmap gid = 330-100000
>> winbind use default domain = yes
>> Joining the ADS domain goes smoothly
>> wbinfo -u gives list with domain users
>> wbinfo -n 'Domain Users' gives list SID from domain Users
>> wbinfo -n 'Administrators' gives: Could not lookup name Administratos
>> wbinfo -n 'Backup Operators' gives: Could not lookup name Backup
>> id Administrator has uid 1000 and lot's of guid's from different groups
>> he's member of, but not the guid from the Administrators and backup
>> operators group. I'm also getting log entries like
>> rid_idmap_get_id_from_sid: No available range availeble for sid.
>> It's difficult to paste complete logs at the moment, because the W2k dc
>> and samba ADS member are running in a isolated testlab.
>> Does anybody know what I'm missing or what's going wrong?
>> John Knappers
>> Argentia B.V.
>> The Netherlands
> A carefull look in the morning reveiled:
> The group Administrators / Powerusers ect are translated in samba to:
> BUILDIN/Administrators BUILDIN/Power users etc.
> But wbinfo -n BUILDIN/Administrators gives:
> S-1-5-32-544 Well-known Group (5)
> and wbinfo -Y S-1-5-32-544 gives:
> Could not convert sid S-1-5-32-544 to gid...
> Are those sid's not very short? As I remembered the were much longer.
> It look that the Sid's from the BUILDIN groups are truncated!
> duh, how is that possible?
> A wbinfo -n 'Domain Admins' gives:
> S-1-5-21-431110786-547713429-883519231-512 Domain Group (2)
> and wbinfo -y S-1-5-21-431110786-547713429-883519231-512
> Looking on the production network, that's still running a NT4 DC.
> The samba host there is running winbind without the idmap_rid facility.
> But there wbinfo -n 'BUILDIN/Administrators' also gives
> S-1-5-32-544 Well-known Group (5)
> becouse winbind is running without idmap_rid facility
> a wbinfo -Y S-1-5-32-544 resolves to
> Does someone has any id what's going on here?
> John Knappers
> Argentia B.V.
> The Netherlands
After a bit futher searching the internet I found some answers in the
There I did find out that the BUILDIN local group and some special groups
/users have always the same short SID
Built-In Local Groups
BUILTIN\ADMINISTRATORS S-1-5-32-544 (=0x220)
BUILTIN\USERS S-1-5-32-545 (=0x221)
BUILTIN\GUESTS S-1-5-32-546 (=0x222)
BUILTIN\ACCOUNT OPERATORS S-1-5-32-548 (=0x224)
BUILTIN\SERVER OPERATORS S-1-5-32-549 (=0x225)
BUILTIN\PRINT OPERATORS S-1-5-32-550 (=0x226)
BUILTIN\BACKUP OPERATORS S-1-5-32-551 (=0x227)
BUILTIN\REPLICATOR S-1-5-32-552 (=0x228)
\CREATOR OWNER S-1-3-0
NT AUTHORITY\NETWORK S-1-5-2
NT AUTHORITY\INTERACTIVE S-1-5-4
NT AUTHORITY\SYSTEM S-1-5-18
NT AUTHORITY\authenticated users S-1-5-11 *
NT AUTHORITY\LOCAL SERVICE S-1-5-19
NT AUTHORITY\NETWORK SERVICE S-1-5-
Those SID's matches, with what I found on our samba system.
So, it's clear now, that those SID's are not accidentely truncated, but are
by design. How does this fit in the Samba rid_idmap?
Does anybody has a clue??
More information about the samba