[Samba] Re: winbind: BUILTIN\users group gid 1001 conflict

Christoph Peus cp at peus.net
Sun Mar 25 10:19:59 GMT 2007

Don Piven wrote:
> Sez Christoph Peus:
>> Hi everybody,
>> I've joined a fileserver running samba 3.0.24 to an AD domain using 
>> winbind and noticed that samba maps the "users" group SID 
>> (5-1-5-32-545)  to gid 1001 automatically. This seems to conflict with 
>> one of ~2000 mappings I had to "inject" in winbinds winbindd_idmap.tdb 
>> by use of net idmap dump/restore, because the fileserver had millions 
>> of files with certain uid/gid ownership from a local passwd/group 
>> before I did the "net ads join". The gid 1001 was allocated to the 
>> group "nawi" in /etc/group before.
>> I'm unsure now which problems could be caused by this regarding security.
>> Is it possible - and usefull - to change this mapping to get a 
>> "BUILTIN\users" group as expected?
>> Thanks!
> Have you checked the "idmap" settings in your smb.conf?  In particular, 
> "idmap uid" and "idmap gid" specify the range of uid/gid values used to 
> map to SIDs.

Thanks for the hint, but both are set to 1000-60000, which is - as far 
as I know - the correct setting if domain users/groups SIDs shall 
resolve to uids/gids of this range. I assume that winbind should avoid 
to use a uid/gid for BUILTIN-groups, which are already in use for a 
domain group, but maybe I got something totally wrong here. It's 
possible that I still haven't understood the idmap/groupmap scheme 
completely yet...


More information about the samba mailing list