[Samba] Settings ACLS from Windows via member server

John H Terpstra jht at samba.org
Wed Feb 23 14:30:44 MST 2011

On 02/24/2011 06:49 AM, Mark Dieterich wrote:
> Associated question...
> When I perform the following looking up on a member server:
>> [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214
>> Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to
>> uid
> When the result is not cached on the machine doing the lookup (which by
> the way I can't keep it from caching results even when I toss the "-n"
> flag on winbindd), I see traffic between the member server and PDC.
> Good.  The PDC has access to all the information in needs to resolve
> this query, it's all contained within a user/group entry in LDAP.
> However, I can see no evidence it is trying to resolve this.  If idmap
> is the portion responsible for this resolution, doesn't it make sense
> that I should be running idmap_ldap on the PDC?
> I've been looking over the LDAP schema and it has the following:
> objectclass ( NAME 'sambaIdmapEntry' SUP top
>         DESC 'Mapping from a SID to an ID'
>         MUST ( sambaSID )
>         MAY ( uidNumber $ gidNumber ) )
> which I do NOT have defined in our LDAP db.  I'm planning to just toss
> this in to see whether it helps, but still don't fully understand where
> the idmap_ldap stuff should be defined...
> Sorry the pieces just aren't falling into place.  Hopefully, I'm not the
> only one struggling with this and the resulting discussions can someday
> help others.
> Mark

As mentioned in my previous response, it is best to let smbd (via the
idmap handler) automatically create these entries as they are needed.
Using nss_ldap to share a common mapping across all domain member
servers is a "good thing"(tm).

- John T.

More information about the samba mailing list