[Samba] Winbind problem: can't convert sids and gids

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jun 23 13:04:59 MDT 2010

Which samba version?

I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and 
gids to users and groups from trusted domain (at least to Windows 2003 
domains in mixed mode.)  When I switched to a Samba 3.4.x PDC the 
allocation of new uids and gids broke.    I suspect there is some 
configuration change in smb.conf I needed to make that was not obvious 
(to me) in the documenation.

I have an ldap backend-  but temporarily changing to a TDB backend 
didn't help.

I worked around this by manually allocating uids and gids.    With ldap 
you can do this with an ldap editor.    But you can also use the wbinfo 
command to manuallly create uid-to-sid or gid-to-sid mappings with ldap 
or tdb backend.

It isn't really a long term solution but fortunately account 
additions/deletions are minimal where I work.

I did have idmap entries in smb.conf  for each domain I wanted to trust, 
in addition to the entries you listed.

On 06/23/2010 02:24 PM, Rob Moser wrote:

> I have a problem where I can't browse to a samba share from Windows
> (Server 2008); instead I get the error:
> The group name could not be found
> The winbind log contains the message:
> could not convert gid 507 to sid
> Suspecting a permissions problem, I went and looked at the files and the
> group ownership has been set to BUILTIN\guests, which is not what I
> want.  So I try to chgrp them to the domain group:
> chgrp -R 'dss users' /file
> chgrp: invalid group `dss users'
> But I know that that is the domain group that I want:
> wbinfo -g | grep dss
> dss users
> wbinfo -n 'dss users'
> S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2)
> But winbind apparently cannot resolve it to a gid:
> wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019
> Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019
> to gid
> My nsswitch.conf file does list winbind for users and groups.  My
> smb.conf file contains (in part, obviously):
>          idmap alloc backend = tdb
>          idmap alloc config:range = 10000 - 4000000
>          idmap uid = 10000 - 4000000
>          idmap gid = 10000 - 4000000
>          winbind enum users = no
>          winbind enum groups = no
>          winbind nested groups = yes
>          winbind use default domain = yes
> So it is using a default domain (the correct one; I checked) and I'm not
> just running out of gids.  My various /var/log/samba/log.* files contain
> almost exactly nothing from the time of the transaction.
> Any help appreciated,
>       - rob.

More information about the samba mailing list