[Samba] Question about AD user/ACL mapping

Knox, Bill wknox at mitre.org
Thu Mar 15 21:25:25 GMT 2007

Yes - I assumed that is what is allowing it to work if I create a
fred_smith user on the Unix box (which then works fine), and what is
letting wbinfo work. It seems to really be the mapping that would be
required to make winbindd know that fred_smith in the domain is the
same as freddy on the Unix box.

                  Bill Knox
                  Lead Operating Systems Programmer/Analyst
                  The MITRE Corporation

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: Thursday, March 15, 2007 5:17 PM
To: Knox, Bill
Cc: samba at lists.samba.org
Subject: Re: [Samba] Question about AD user/ACL mapping

On Thu, Mar 15, 2007 at 03:16:47PM -0400, Knox, Bill wrote:
> Yes, in the security-tab when I am trying to add an ACL to a file on
> the Samba share.
> Let me extend the example a bit to explain what we are doing:
> The server has a local username freddy, and the domain contains a
> fred_smith
> The usernamemap file contains:
> freddy = DOMAIN\fred_smith
> When I try to add permissions for fred_smith in the security tab on
> Windows, I get an error in the log file like this:
> [2007/03/14 15:17:38, 0]
>   create_canon_ace_lists: unable to map SID
> However, I can access shares as fred_smith and my access gets mapped
> the freddy user, and I can run wbinfo -n fred_smith on the box to get
> SID back.
> When viewing ACLs in the tab that are set on the filesystem itself,
> they come back as "<username> (Unix User\<username>)" in the listing
> well.
> It would also work if there were a tool to manually populate the
> winbindd_idmap.tdb file - does such a thing exist that is fairly
> useable? What are the implications for my interaction with the AD if
> did something as screwball as that?

Ok, this is the function : sid_to_uid() or sid_to_gid()
failing to return a valid value. Are you running
winbindd here ?


More information about the samba mailing list