[Samba] Group mapping giving incorrect GIDs

Eric Roseme eroseme at emonster.rose.hp.com
Thu Nov 10 23:26:09 GMT 2005

Gerald (Jerry) Carter wrote:

>Hash: SHA1
>Eric Roseme wrote:
>>a.nielsen at research.uq.edu.au wrote:
>>>I think I've narrowed down my problem to the fact that the group
>>>mapping is
>>>not giving me the same GID for all 'equivalent' groups, as seen here:
>>>$ net groupmap list
>>>DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) -> unixgrp1
>>>$ getent group unixgrp1
>>>$ getent group DOMAIN\\Group1
>>>This means that the GID of unixgrp1 is 203, however the GID of
>>>is completely different!  Given the group mapping, I was expecting
>>>that both
>>>groups would be returned with a GID of 203, so that according to the
>>>box both those groups are the same.
>group mapping on domain members is mutually exclusive with running
>winbindd.  Usually that is.
>If you do not define a idmap uid and idmap gid ranges, then winbindd
>should fall back to using the group mapping. and you better have
>mappings for all domain groups.  It's an all or none decision.
Jerry - just to be clear: you mean that winbindd must not be running (as 
opposed to just not defining idmap uid/gid ranges).  Testing shows that 
without winbindd running groupmap behaves just like you say - mapped 
UNIX groups work for domain user access on ugo permissions, and for 
"valid users".  With no idmap uid/gid winbindd will not start.

JHT - this would be useful in chapter 11 of the howto.  I read that 
chapter about 5 times looking for what I was missing when I could not 
make groupmapping work with "security = ads" and winbindd.  And I just 
bought my Second Edition.  Boo Hoo. 

My purpose for testing this was to answer an earlier post about group 
name length limitations on "valid user".  Our UNIX group name would only 
work up to 32 chars, but Windows allows 64 chars.  Also the Windows 
group had special characters that UNIX did not like. I thought I could 
work around this by mapping the long Windows group to a short Unix group 
(with security=ads).  But it did not work, due to winbindd (as you 
pointed out). 

Adam - can you describe your intended use of group mapping? I re-read 
your original post, and am wondering why you can't just add the 
winbind-mapped group directly to the folder (directory) ACL (as opposed 
to mapping a *ix group to the winbind-mapped group, then adding the *ix 
group to the ACL)?

Eric Roseme

More information about the samba mailing list