[Samba] question about sids and ads auth
John H Terpstra
jht at samba.org
Wed Jun 4 16:17:42 GMT 2008
On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
> Ok so I have a problem and I am trying to figure something out in
> regards to samba ads authentication, winbindd sid to uid/gid mapping and
> why some domain accounts can map the samba share from linux and windows
> when others cannot.
> I have a few domain users that when they try to map a samba share when
> the authentication takes place fine, the uid/gid seems to work, but in
> the log.winbind-idmap I see the following lines:
> idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
> sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
> gid [2,2,2279459400]
Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the
Samba server. In other words, is it the same as the output of:
If not, then the above is a foreign SID and needs to be handled appropriately.
The RID is the last value in the SID sequence of fields. The RID=513 is
the "Domain Users" group well known account value. In fact, if you look at
the log is says it could not resolve the sid_to_gid (that means it could not
resolve the group ID to a local UNIX GID.
If the domain SID is the same as your Samba server SID, this would suggest
that if you execute "net groupmap list" you see that there is no mapping of
the Windows group "Domain Users" to a UNIX group. You need to create it as
net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513
If the SID is not the same as your Samba server SID, then you need to do one
of two things:
a) Configure Samba to resolve all foreign domain SIDs as if they are local.
You can do this by adding to smb.conf [globals]
winbind user default domain = yes
b) You can configure the IDMAP backend appropriately for your version of Samba
so it will allocate local UIDs and GIDs for all foreign SIDs.
> But if I do a winbind -n USERNAME I get the following sid
That looks like a user account. What is the UID for this user?
> As you can see they do not match up, is the sid listed in the log a
> system account like the netlogon or perhaps the trusted domain account
> sid or something?
It is a group account, not a user account. If you create a file as that user,
what is the ownership and group (under UNIX) of the resulting file?
- John T.
More information about the samba