[Samba] Idmap creates unnecessary group entry

Martin Werthmöller mw at lw-systems.de
Tue Jan 15 20:00:40 GMT 2008

Hy Samba users,

I've got a problem with an samba/ldap setup. As I set an ACL to a domain
group in an windows client, a group mapping entry will be created in the
Idmap ou at the ldap server.

I discoverd the OpenLDAP logfiles. There, the server sends a search
request for the domain group sid to the ldap backend will retreive an
entry back:

  Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SRCH
  base="ou=Groups,dc=lw-systems,dc=net" scope=2 deref=0

  Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SRCH attr=gidNumber
  sambaSID sambaGroupType sambaSIDList description displayName cn objectClass 
  Jan 15 20:19:24 225 slapd[4518]: conn=190 op=24 SEARCH RESULT tag=101
  err=0 nentries=1 text=

The samba log files shows, that no entry was found.

  [2008/01/15 20:19:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3

  [2008/01/15 20:19:25, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1570)
    ldapsam_getsampwsid: Unable to locate SID
  [S-1-5-21-4205727931-4131263253-1851132061-3019] count=0

  [2008/01/15 20:19:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2200)
    init_group_from_ldap: Entry found for group: 1009

  [2008/01/15 20:19:25, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2

I guess, the Idmap entry will be created, since the samba server supposes,
no group SID will be available at the backend.

Do anyone has any ideas about this behavior?

Maybe its my misunderstanding of the idmapping in samba...

Best regards,
Martin Werthmoeller

LWsystems - IT-Service and Consulting
mw at lw-systems.de * http://www.lw-systems.de

More information about the samba mailing list