[Samba] question about sids and ads auth

John H Terpstra jht at samba.org
Wed Jun 4 16:17:42 GMT 2008

On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
> Ok so I have a problem and I am trying to figure something out in
> regards to samba ads authentication, winbindd sid to uid/gid mapping and
> why some domain accounts can map the samba share from linux and windows
> when others cannot.
> I have a few domain users that when they try to map a samba share when
> the authentication takes place fine, the uid/gid seems to work, but in
> the log.winbind-idmap I see the following lines:
>    idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
>    sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
> gid [2,2,2279459400]

Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the 
Samba server. In other words, is it the same as the output of:

	net getlocalsid

If not, then the above is a foreign SID and needs to be handled appropriately.

The RID is the last value in the SID sequence of fields.  The RID=513 is 
the "Domain Users" group well known account value.  In fact, if you look at 
the log is says it could not resolve the sid_to_gid (that means it could not 
resolve the group ID to a local UNIX GID.

If the domain SID is the same as your Samba server SID, this would suggest 
that if you execute "net groupmap list" you see that there is no mapping of 
the Windows group "Domain Users" to a UNIX group.  You need to create it as 

net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513

If the SID is not the same as your Samba server SID, then you need to do one 
of two things:

a) Configure Samba to resolve all foreign domain SIDs as if they are local. 
You can do this by adding to smb.conf [globals]
	winbind user default domain = yes


b) You can configure the IDMAP backend appropriately for your version of Samba 
so it will allocate local UIDs and GIDs for all foreign SIDs.

> But if I do a winbind -n USERNAME I get the following sid
> S-1-5-21-2868754479-89028146-2101856903-88482

That looks like a user account. What is the UID for this user?

> As you can see they do not match up, is the sid listed in the log a
> system account like the netlogon or perhaps the trusted domain account
> sid or something?

It is a group account, not a user account. If you create a file as that user, 
what is the  ownership and group (under UNIX) of the resulting file?

- John T.

More information about the samba mailing list