[Samba] Map sids to Unix UID and GID

Glenn Machin gmachin at sandia.gov
Tue Feb 3 15:16:23 GMT 2009

 > Do you have idmap configured?

Thanks for getting back.   It looks like it is working now.  I had idmap 
turned on and using tbd.  All local account and groups on the system are 
managed via nss_ldap and a non windows directory.   I turned on winbindd 
but did not configure it in nsswitch.conf for nss_ldap, so I could get 
SID to name mapping, but I it did not resolve SID to uid. I also do 
domain name to local name mappping using "username map script:". 

I found a note talking about the "nss" backend. I used "idmap backend = 
nss" in the configuration file and that seems to do the job.  
I can now use any group that is listed in "getent group" and "getent 
passwd" and when I do a getfacl I see the proper acls on the file.

It took me awhile to find a reference to "idmap backend = nss".   Is 
this a well known backend?   Is there any information describing what it 
does and how it does it?

I have included relevant smb.conf information below.

Thanks again.


;    You can change available to no if you want to prevent access
;    without shutting down smbd
    available = yes
    server string = "netbios->" %L Samba Server Version "version->" %v, 
"username->" %u, "service->" %S, "IP addr->" %I, "session username->" 
%U, "primary group->" "%G, "protocol->" %R, "domain->" %D, "winbind 
separator->" %w, "home dir->" %H
    workgroup = ADDOMAIN
    netbios name = hostname
    encrypt passwords = yes
    use kerberos keytab = yes
    username map script = /usr/local/bin/AD_to_localname.sh
    security = ADS
    realm = AD REALM
    use spnego = yes
    password server = AD domain-controllers

    ntlm auth = no
    lanman auth = no
    client ntlmv2 auth = yes
    client lanman auth = no
    client use spnego = yes
    map to guest = never
    server signing = mandatory
    domain master = no
    local master = no
    preferred master = no

    wins support = no
    wins server = server-ip
    wins proxy = no
    dns proxy = no
    nt acl support = Yes
    acl map full control = yes
    acl check permissions = true
    acl group control = no
;    An unknown user ACL will be mapped to the connected user
    force unknown acl user = yes

    winbind enum groups = no
    winbind enum users = no
    winbind trusted domains only = no
    idmap backend = nss

John Drescher wrote:
> On Mon, Feb 2, 2009 at 6:31 PM, Glenn Machin <gmachin at sandia.gov> wrote:
>> I have a samba server running on a Linux RHEL5 system.   The system uses
>> nss_ldap and gets passwd and group information from a non-windows ldap
>> server.   The smb.conf file is using security=ads and spnego in order to
>> user Kerberos tickets rather than ntlmv2.
>> I have done a net ads join, and the authentication is working fine, however
>> when I try to set an ACL on a file from a windows client using an group
>> defined in Active Directory I get messages talking about not being able to
>> map the SID to a uid.
>> I don't want to use winbind for authentication.
>> So how to you map SID to uid and SID to gid?
> Do you have idmap configured?
> John

More information about the samba mailing list