[Samba] "net idmap dump" and "wbinfo" shows different GIDs for same SID

Pavel Bychykhin bychykhin.p.n at hts.kh.ua
Fri Sep 20 10:12:07 MDT 2013 

Hi!

I'm apologize for my poor English, but have a question.
This question is a shorter than one i posted not so long ago 
(https://lists.samba.org/archive/samba/2013-September/175649.html) and 
received no answer for a while. In this question i took a log from the 
different server, but this is no matter: the problem persists on all of 
my servers.
So, my OS is FreeBSD 9.0, my Samba is 3.6.18 acts as a domain member.
Suppose i have a local group "samba_sge_public_createdir", created with 
"NET SAM CREATELOCALGROUP".
"getent" and "wbinfo" shows this group with GID 30002 and SID 
S-1-5-21-2085021927-1344845373-2015074135-1012.
But, "net idmap dump" shows this group with GID 30008 and shows no group 
with GID 30002 at all.

[root at srv-8cf8 ~]# getent group samba_sge_public_createdir
SRV-8CF8\samba_sge_public_createdir:x:30002
[root at srv-8cf8 ~]# wbinfo --gid-to-sid 30002
S-1-5-21-2085021927-1344845373-2015074135-1012
[root at srv-8cf8 ~]# wbinfo --sid-to-gid 
S-1-5-21-2085021927-1344845373-2015074135-1012
30002
[root at srv-8cf8 ~]# net idmap dump
dumping id mapping from /var/db/samba/winbindd_idmap.tdb
GID 30013 S-1-5-21-2085021927-1344845373-2015074135-513
GID 30009 S-1-5-21-2085021927-1344845373-2015074135-1010
GID 30024 S-1-5-21-2085021927-1344845373-2015074135-1023
GID 30014 S-1-5-21-2085021927-1344845373-2015074135-1014
GID 30006 S-1-5-11
GID 30007 S-1-5-32-546
GID 30018 S-1-5-21-2085021927-1344845373-2015074135-1018
GID 30010 S-1-5-21-2085021927-1344845373-2015074135-1011
USER HWM 30002
GID 30022 S-1-5-21-2085021927-1344845373-2015074135-1021
UID 30000 S-1-5-21-2085021927-1344845373-2015074135-1015
GID 30008 S-1-5-21-2085021927-1344845373-2015074135-1012
GID 30023 S-1-5-21-2085021927-1344845373-2015074135-1022
UID 30001 S-1-5-21-2085021927-1344845373-2015074135-1016
GID 30004 S-1-1-0
GID 30005 S-1-5-2
GROUP HWM 30025
GID 30011 S-1-5-21-2085021927-1344845373-2015074135-1013
[root at srv-8cf8 ~]# net cache list|grep 
S-1-5-21-2085021927-1344845373-2015074135-1012
Key: IDMAP/GID2SID/30002         Timeout: Tue Sep 24 10:41:25 2013 
  Value: S-1-5-21-2085021927-1344845373-2015074135-1012
Key: IDMAP/GID2SID/30008         Timeout: Tue Sep 17 12:24:22 2013 
  Value: S-1-5-21-2085021927-1344845373-2015074135-1012  (expired)
Key: IDMAP/SID2GID/S-1-5-21-2085021927-1344845373-2015074135-1012 
  Timeout: Tue Sep 24 10:41:25 2013       Value: 30002

Such a problem arise from time to time and my users can't access to 
shares because samba thinks they don't a members of a certain group.
Help me, please. How can I solve the problem? I'm really troubled:(

My Samba global config:
[global]
         dos charset = CP866
         workgroup = HTS
         realm = HTS.KH.UA
         server string =
         security = ADS
         map to guest = Bad Password
         local master = No
         wins server = 192.168.32.5
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind expand groups = 3
         winbind nss info = rfc2307
         winbind max domain connections = 50
         idmap config HTS : schema_mode = rfc2307
         idmap config HTS : range = 10000-29999
         idmap config HTS : backend = ad
         idmap config HTS : default = yes
         idmap config * : range = 30000-59999
         idmap config * : backend = tdb



-- 
Best regards,
Pavel

More information about the samba mailing list