[Samba] Settings ACLS from Windows via member server

Mark Dieterich mkd at cs.brown.edu
Wed Feb 23 12:49:27 MST 2011

Associated question...

When I perform the following looking up on a member server:

> [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214
> Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to uid

When the result is not cached on the machine doing the lookup (which by 
the way I can't keep it from caching results even when I toss the "-n" 
flag on winbindd), I see traffic between the member server and PDC. 
Good.  The PDC has access to all the information in needs to resolve 
this query, it's all contained within a user/group entry in LDAP. 
However, I can see no evidence it is trying to resolve this.  If idmap 
is the portion responsible for this resolution, doesn't it make sense 
that I should be running idmap_ldap on the PDC?

I've been looking over the LDAP schema and it has the following:

objectclass ( NAME 'sambaIdmapEntry' SUP top 
         DESC 'Mapping from a SID to an ID'
         MUST ( sambaSID )
         MAY ( uidNumber $ gidNumber ) )

which I do NOT have defined in our LDAP db.  I'm planning to just toss 
this in to see whether it helps, but still don't fully understand where 
the idmap_ldap stuff should be defined...

Sorry the pieces just aren't falling into place.  Hopefully, I'm not the 
only one struggling with this and the resulting discussions can someday 
help others.


More information about the samba mailing list