[Samba] Winbind problem: can't convert sids and gids
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Jun 23 13:04:59 MDT 2010
Which samba version?
I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and
gids to users and groups from trusted domain (at least to Windows 2003
domains in mixed mode.) When I switched to a Samba 3.4.x PDC the
allocation of new uids and gids broke. I suspect there is some
configuration change in smb.conf I needed to make that was not obvious
(to me) in the documenation.
I have an ldap backend- but temporarily changing to a TDB backend
didn't help.
I worked around this by manually allocating uids and gids. With ldap
you can do this with an ldap editor. But you can also use the wbinfo
command to manuallly create uid-to-sid or gid-to-sid mappings with ldap
or tdb backend.
It isn't really a long term solution but fortunately account
additions/deletions are minimal where I work.
I did have idmap entries in smb.conf for each domain I wanted to trust,
in addition to the entries you listed.
On 06/23/2010 02:24 PM, Rob Moser wrote:
> I have a problem where I can't browse to a samba share from Windows
> (Server 2008); instead I get the error:
>
> The group name could not be found
>
> The winbind log contains the message:
>
> could not convert gid 507 to sid
>
> Suspecting a permissions problem, I went and looked at the files and the
> group ownership has been set to BUILTIN\guests, which is not what I
> want. So I try to chgrp them to the domain group:
>
> chgrp -R 'dss users' /file
> chgrp: invalid group `dss users'
>
> But I know that that is the domain group that I want:
>
> wbinfo -g | grep dss
> dss users
>
> wbinfo -n 'dss users'
> S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2)
>
> But winbind apparently cannot resolve it to a gid:
>
> wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019
> Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019
> to gid
>
> My nsswitch.conf file does list winbind for users and groups. My
> smb.conf file contains (in part, obviously):
>
> idmap alloc backend = tdb
> idmap alloc config:range = 10000 - 4000000
> idmap uid = 10000 - 4000000
> idmap gid = 10000 - 4000000
>
> winbind enum users = no
> winbind enum groups = no
> winbind nested groups = yes
> winbind use default domain = yes
>
> So it is using a default domain (the correct one; I checked) and I'm not
> just running out of gids. My various /var/log/samba/log.* files contain
> almost exactly nothing from the time of the transaction.
>
> Any help appreciated,
>
> - rob.
>
>
More information about the samba
mailing list