[Samba] Winbind problem: can't convert sids and gids

Rob Moser Rob.Moser at nau.edu
Wed Jun 23 13:57:06 MDT 2010

I've had the problem with various versions of 3.3.x - most recently
3.3.8 and 3.3.12.  I have an older machine running 3.2.8 which works
fine using essentially an identical smb.conf file.

My smb.conf file also has the idmap entries for each trusted domain,
with non-overlapping id ranges.  I did see the manual mapping option in
wbinfo, but we have a fairly dynamic user base, so manual configuration
didn't seem viable.

Thanks for your help though!  Hopefully someone can tell us both how to
get the automatic mapping working...

     - rob.

On 06/23/2010 12:04 PM, Gaiseric Vandal wrote:
> Which samba version?
> I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and 
> gids to users and groups from trusted domain (at least to Windows 2003 
> domains in mixed mode.)  When I switched to a Samba 3.4.x PDC the 
> allocation of new uids and gids broke.    I suspect there is some 
> configuration change in smb.conf I needed to make that was not obvious 
> (to me) in the documenation.
> I have an ldap backend-  but temporarily changing to a TDB backend 
> didn't help.
> I worked around this by manually allocating uids and gids.    With ldap 
> you can do this with an ldap editor.    But you can also use the wbinfo 
> command to manuallly create uid-to-sid or gid-to-sid mappings with ldap 
> or tdb backend.
> It isn't really a long term solution but fortunately account 
> additions/deletions are minimal where I work.
> I did have idmap entries in smb.conf  for each domain I wanted to trust, 
> in addition to the entries you listed.
> On 06/23/2010 02:24 PM, Rob Moser wrote:
>> I have a problem where I can't browse to a samba share from Windows
>> (Server 2008); instead I get the error:
>> The group name could not be found
>> The winbind log contains the message:
>> could not convert gid 507 to sid
>> Suspecting a permissions problem, I went and looked at the files and the
>> group ownership has been set to BUILTIN\guests, which is not what I
>> want.  So I try to chgrp them to the domain group:
>> chgrp -R 'dss users' /file
>> chgrp: invalid group `dss users'
>> But I know that that is the domain group that I want:
>> wbinfo -g | grep dss
>> dss users
>> wbinfo -n 'dss users'
>> S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2)
>> But winbind apparently cannot resolve it to a gid:
>> wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019
>> Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019
>> to gid
>> My nsswitch.conf file does list winbind for users and groups.  My
>> smb.conf file contains (in part, obviously):
>>          idmap alloc backend = tdb
>>          idmap alloc config:range = 10000 - 4000000
>>          idmap uid = 10000 - 4000000
>>          idmap gid = 10000 - 4000000
>>          winbind enum users = no
>>          winbind enum groups = no
>>          winbind nested groups = yes
>>          winbind use default domain = yes
>> So it is using a default domain (the correct one; I checked) and I'm not
>> just running out of gids.  My various /var/log/samba/log.* files contain
>> almost exactly nothing from the time of the transaction.
>> Any help appreciated,
>>       - rob.

More information about the samba mailing list