[Samba] Winbind problem: can't convert sids and gids
Rob.Moser at nau.edu
Wed Jun 23 13:57:06 MDT 2010
I've had the problem with various versions of 3.3.x - most recently
3.3.8 and 3.3.12. I have an older machine running 3.2.8 which works
fine using essentially an identical smb.conf file.
My smb.conf file also has the idmap entries for each trusted domain,
with non-overlapping id ranges. I did see the manual mapping option in
wbinfo, but we have a fairly dynamic user base, so manual configuration
didn't seem viable.
Thanks for your help though! Hopefully someone can tell us both how to
get the automatic mapping working...
On 06/23/2010 12:04 PM, Gaiseric Vandal wrote:
> Which samba version?
> I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and
> gids to users and groups from trusted domain (at least to Windows 2003
> domains in mixed mode.) When I switched to a Samba 3.4.x PDC the
> allocation of new uids and gids broke. I suspect there is some
> configuration change in smb.conf I needed to make that was not obvious
> (to me) in the documenation.
> I have an ldap backend- but temporarily changing to a TDB backend
> didn't help.
> I worked around this by manually allocating uids and gids. With ldap
> you can do this with an ldap editor. But you can also use the wbinfo
> command to manuallly create uid-to-sid or gid-to-sid mappings with ldap
> or tdb backend.
> It isn't really a long term solution but fortunately account
> additions/deletions are minimal where I work.
> I did have idmap entries in smb.conf for each domain I wanted to trust,
> in addition to the entries you listed.
> On 06/23/2010 02:24 PM, Rob Moser wrote:
>> I have a problem where I can't browse to a samba share from Windows
>> (Server 2008); instead I get the error:
>> The group name could not be found
>> The winbind log contains the message:
>> could not convert gid 507 to sid
>> Suspecting a permissions problem, I went and looked at the files and the
>> group ownership has been set to BUILTIN\guests, which is not what I
>> want. So I try to chgrp them to the domain group:
>> chgrp -R 'dss users' /file
>> chgrp: invalid group `dss users'
>> But I know that that is the domain group that I want:
>> wbinfo -g | grep dss
>> dss users
>> wbinfo -n 'dss users'
>> S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2)
>> But winbind apparently cannot resolve it to a gid:
>> wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019
>> Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019
>> to gid
>> My nsswitch.conf file does list winbind for users and groups. My
>> smb.conf file contains (in part, obviously):
>> idmap alloc backend = tdb
>> idmap alloc config:range = 10000 - 4000000
>> idmap uid = 10000 - 4000000
>> idmap gid = 10000 - 4000000
>> winbind enum users = no
>> winbind enum groups = no
>> winbind nested groups = yes
>> winbind use default domain = yes
>> So it is using a default domain (the correct one; I checked) and I'm not
>> just running out of gids. My various /var/log/samba/log.* files contain
>> almost exactly nothing from the time of the transaction.
>> Any help appreciated,
>> - rob.
More information about the samba