[Samba] question about sids and ads auth
jason.gerfen at scl.utah.edu
Wed Jun 4 16:54:28 GMT 2008
John H Terpstra wrote:
> On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
>> Ok so I have a problem and I am trying to figure something out in
>> regards to samba ads authentication, winbindd sid to uid/gid mapping and
>> why some domain accounts can map the samba share from linux and windows
>> when others cannot.
>> I have a few domain users that when they try to map a samba share when
>> the authentication takes place fine, the uid/gid seems to work, but in
>> the log.winbind-idmap I see the following lines:
>> idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
>> sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
>> gid [2,2,2279459400]
> Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the
> Samba server. In other words, is it the same as the output of:
> net getlocalsid
No, not the same output.
> If not, then the above is a foreign SID and needs to be handled appropriately.
> The RID is the last value in the SID sequence of fields. The RID=513 is
> the "Domain Users" group well known account value. In fact, if you look at
> the log is says it could not resolve the sid_to_gid (that means it could not
> resolve the group ID to a local UNIX GID.
Just picked up on this portion of the SID
> If the domain SID is the same as your Samba server SID, this would suggest
> that if you execute "net groupmap list" you see that there is no mapping of
> the Windows group "Domain Users" to a UNIX group. You need to create it as
> net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513
> If the SID is not the same as your Samba server SID, then you need to do one
> of two things:
> a) Configure Samba to resolve all foreign domain SIDs as if they are local.
> You can do this by adding to smb.conf [globals]
> winbind user default domain = yes
winbind use default domain = yes? not sure if 'user' is a typo.
> b) You can configure the IDMAP backend appropriately for your version of Samba
> so it will allocate local UIDs and GIDs for all foreign SIDs.
I currently have the following configured for my AD users:
idmap config SCL:backend = ad
>> But if I do a winbind -n USERNAME I get the following sid
> That looks like a user account. What is the UID for this user?
1000011, this user actually is able to authenticate through AD as well
as map the drive. I am currently having a problem with some users not
able to map the drive due to 'error 67 occured' when running 'net use x:
\\server\share' from windows clients.
>> As you can see they do not match up, is the sid listed in the log a
>> system account like the netlogon or perhaps the trusted domain account
>> sid or something?
I have been looking through AD users in the CN=Users container and seem
to have some discrepancies with my rfc2307 attributes, let me modify
those and test some more.
> It is a group account, not a user account. If you create a file as that user,
> what is the ownership and group (under UNIX) of the resulting file?
> - John T.
More information about the samba