[Samba] Account Unknown for users with Samba 3.0.11/14

William Jojo jojowil at hvcc.edu
Fri Jan 6 12:41:51 GMT 2006

----- Original Message ----- 
From: <James.Cort at u4eatech.com>
To: <samba at lists.samba.org>
Sent: Friday, January 06, 2006 4:48 AM
Subject: Re: [Samba] Account Unknown for users with Samba 3.0.11/14

> Quoting James.Cort at u4eatech.com:
> > Hi,
> >
> > I've got a problem with a samba server I inherited which I can't solve.
> >
> > I think it's the configuration rather than the version because I have
> > the same problem with a 3.0.14 and a 3.0.11 Samba server with almost
> > identical configurations.  Both authenticate against LDAP, one has an
> > old smbpasswd file which should no longer be in use.
> >
> > The issue is that when I click "Properties... Security" in Windows on
> > something shared on the samba server, all the groups come up OK but
> > users are displayed as  (for example) "Account Unknown
> > {S-1-5-21-4012146134-3166284455-2856603714-3038)".
> >
> > I've checked, and that account SID is correct. However, I'd expect it
> > to eventually resolve to a username - it doesn't.

Well, I'll bet you don't have a group mapping on the groups in question. Any
group that has no group mapping will show up as a local group in the
security tab. If there were a group maping it should show up as a group in a
trusted domain, unless there are no trusts, then it shows a SID value.

> Further investigation has shown that the LDAP server is queried for
> Group SIDs, but not for User SIDs.

Yep, that's correct for the Group SID, it's gathering information on the
group value of the filesystem object is my guess.

The user SID should have already been retrieved and stored in the security
context if that is the owner of the fs object. I'm assuming here that
extended ACL's are not involved.

If the SID for the user is not the SID for the DC, you will get unknown user
since LDAP holds the sambaSID and sambaPrimaryGroupSID for each user. In the
smbpasswd world, a users SID value is the servers since that info is not
stored in smbpasswd and the RID is algorithmically calculated (uid * 2 +
1000, by default).

The problem may not be the SID. It could be the RID. Is it possible the
owner of the file is a *number*? This would indicate a uid for a
non-existent user. This would fall to algorithmic calculation and possible
no entry in the LDAP database yielding your situation.

Another area that may not be so obvious - is the user in /etc/passwd and
LDAP? This would be horrible especially if the user has two different uid

And the obvious...do you have config and system information? How are uid
values gathered by the system? Same LDAP database? That's important to find

smb.conf, OS & version...



> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list