[Samba] BUILTIN-Groups break winbind_idmap

Thorsten Leiser t.leiser at synchron-is.de
Tue Apr 27 10:40:29 MDT 2010


i want to migrate from samba 3.2.6-37 (sernet-built on sles9) to 
3.3.12-25 (sernet-built on debian lenny). It's a domain member server in 
an w2k3 ad with all company files on it. I migrated the smb.conf and 
moved the winbindd_idmap.tdb to the lenny server. The winbind idmap 
options are still the same with tdb as idmap backend and don't conflict 
with entries of /etc/group and /etc/passwd. My gid range starts by 10000 
(10000 was originally mapped by winbind to domain-users). Now on lenny 
it seems that samba overrides the winbindd_idmap of the domain-users to 
BUILTIN\administrators. A "wbinfo -Y S-1-5-32-544" with a result of 
10000 confirmed my assumptions. I don't know why samba behaves like 
this. For further analysis i attach the global section of the smb.conf.

Anyone an idea?


    unix charset = ISO8859-15
    display charset = ISO8859-15
    workgroup = SCHARRNET
    realm = SCHARRNET.DE
    server string =
    interfaces =, eth0
    bind interfaces only = Yes
    security = ADS
    password server = OMBRE DC1
    log level = 2
    load printers = No
    printcap name = cups
    add share command = /usr/local/bin/modify_samba_config.pl
    change share command = /usr/local/bin/modify_samba_config.pl
    delete share command = /usr/local/bin/modify_samba_config.pl
    panic action = /usr/share/samba/panic-action %d
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind separator = +
    winbind cache time = 900
    winbind enum users = Yes
    winbind enum groups = Yes
    ea support = Yes
    map acl inherit = Yes
    hide unreadable = Yes
    veto oplock files = /*.mdb/*.MDB/
    store dos attributes = Yes
    dos filemode = Yes
    dos filetime resolution = Yes


Thorsten Leiser
SYNCHRON Gesellschaft für betriebswirtschaftliche
Beratung und Informationssysteme mbH
Liebknechtstr. 50

70565 Stuttgart-Vaihingen

More information about the samba mailing list