[Samba] Missing entries in idmap.ldb

Rowland Penny rowlandpenny at googlemail.com
Mon Nov 17 15:47:06 MST 2014 

On 17/11/14 22:35, Kirin van der Veer wrote:
> Hi Rowland,
> I was trying to change the AD -> Unix mapping of some of my users.
> I wanted to map some admin accounts to the root user (0) so that they 
> could easily edit permissions on all shares and folders regardless of 
> the groups that they were assigned to.
> If there's a better way of accomplishing that then I'm all ears.

Please don't do that, you are creating multiple 'Administrator' users.

Have you ever heard of group in AD called 'Domain Admins' ?? add your 
admin users to this group and give 'Domain Admins' the required privileges.

net rpc rights grant WORKGROUP\\"Domain Admins" SeDiskOperatorPrivilege 
-UAdministrator

Where 'WORKGROUP' is the name you provided when you provisioned.

Rowland

>
> Kirin.
>
> On 17 November 2014 20:38, Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 17/11/14 00:57, Kirin van der Veer wrote:
>
>         Thanks for replying to my issue.
>         I was trying to edit the user mapping for the above users
>         manually. (apologies that I neglected to mention that in my
>         initial email).
>         I have solved the problem with wbinfo.
>         If I run:
>         wbinfo --sids-to-unix-ids
>         S-1-5-21-3663128747-3839060396-3176805764-11981
>
>         Then it populates data into the idmap.ldb and I am able to
>         edit user mappings with the following command:
>         ldbedit -e /usr/bin/vim -H /var/lib/samba/private/idmap.ldb
>         objectsid=S-1-5-21-3663128747-3839060396-3176805764-11981
>
>         (which is the original command I was trying to use)
>
>         Sorry if I was not clear in my original email, and thanks for
>         your help.
>
>         Kirin.
>
>
>         On 15 November 2014 05:23, Rowland Penny
>         <rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>         <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>> wrote:
>
>             On 14/11/14 18:18, Marc Muehlfeld wrote:
>
>                 Hello Kirin,
>
>                 Am 13.11.2014 um 23:38 schrieb Kirin van der Veer:
>
>                     When I run ldbedit on idmap.ldb some of my SIDs
>         seem to be
>                     missing.
>                     The below output demonstrates the problem quite
>         clearly:
>
>                     root at server:/# wbinfo -n administrator
>                     S-1-5-21-3663128747-3839060396-3176805764-500
>         SID_USER (1)
>                     root at server:/# ldbedit -e /usr/bin/vim -H
>                     /var/lib/samba/private/idmap.ldb
>                    
>         objectsid=S-1-5-21-3663128747-3839060396-3176805764-500
>                     # 0 adds  0 modifies  0 deletes
>                     root at server:/# wbinfo -n user1-admin
>                     S-1-5-21-3663128747-3839060396-3176805764-11824
>         SID_USER (1)
>                     root at server:/# ldbedit -e /usr/bin/vim -H
>                     /var/lib/samba/private/idmap.ldb
>                    
>         objectsid=S-1-5-21-3663128747-3839060396-3176805764-11824
>                     # 0 adds  0 modifies  0 deletes
>                     root at server:/# wbinfo -n user2-admin
>                     S-1-5-21-3663128747-3839060396-3176805764-11983
>         SID_USER (1)
>                     root at server:/# ldbedit -e /usr/bin/vim -H
>                     /var/lib/samba/private/idmap.ldb
>                    
>         objectsid=S-1-5-21-3663128747-3839060396-3176805764-11983
>                     no matching records - cannot edit
>                     root at server:/# wbinfo -n user3-admin
>                     S-1-5-21-3663128747-3839060396-3176805764-11981
>         SID_USER (1)
>                     root at server:/# ldbedit -e /usr/bin/vim -H
>                     /var/lib/samba/private/idmap.ldb
>                    
>         objectsid=S-1-5-21-3663128747-3839060396-3176805764-11981
>                     no matching records - cannot edit
>
>
>                 I'm not sure, if I understand, what you do there. You
>         get the
>                 SID of an
>                 account and then edit idmap.ldb? But what do you do
>         there when
>                 you say
>
>                     # ldbedit -e /usr/bin/vim -H
>         /var/lib/samba/private/idmap.ldb
>                    
>         objectsid=S-1-5-21-3663128747-3839060396-3176805764-11981
>
>                 Do you mean with that, that you search for that line
>         in the
>                 editor and
>                 you can't find it?
>
>
>
>                 Regards,
>                 Marc
>
>             Hi, I think the OP is having a problem he isn't telling us
>         and he
>             is trying to find a reason for it. I do not think that it is
>             anything to do with idmap.ldb, I have users that do not
>         appear in
>             idmap.ldb and do not have any problems.
>
>             Rowland
>
>             --     To unsubscribe from this list go to the following
>         URL and read the
>             instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>         -- 
>         Kirin van der Veer
>         *_______________________
>         IT Support*
>         Planet Innovation
>         Phone: 03 9945 7549
>         Mobile: 0409 728 275
>         81–89 Cotham Road, Kew VIC 3101 Australia
>         planetinnovation.com.au <http://planetinnovation.com.au>
>         <http://planetinnovation.com.au>
>
>
>         *IMPORTANT NOTE. *If you are NOT AN AUTHORISED RECIPIENT of
>         this e-mail, please contact Planet Innovation Pty Ltd by
>         return e-mail or by telephone on +613 9945 7510
>         <tel:%2B613%209945%207510>.  In this case, you should not
>         read, print, re-transmit, store or act in reliance on this
>         e-mail or any attachments, and should destroy all copies of
>         them.  This e-mail and any attachments are confidential and
>         may contain legally privileged information and/or copyright
>         material of Planet Innovation Pty Ltd or third parties. You
>         should only re-transmit, distribute or commercialise the
>         material if you are authorised to do so. Although we use virus
>         scanning software, we deny all liability for viruses or alike
>         in any message or attachment. This notice should not be removed.
>
>         **
>
>     Why are you trying to edit idmap.ldb ?
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> -- 
> Kirin van der Veer
> *_______________________
> IT Support*
> Planet Innovation
> Phone: 03 9945 7549
> Mobile: 0409 728 275
> 81–89 Cotham Road, Kew VIC 3101 Australia
> planetinnovation.com.au <http://planetinnovation.com.au>
>
>
> *IMPORTANT NOTE. *If you are NOT AN AUTHORISED RECIPIENT of this 
> e-mail, please contact Planet Innovation Pty Ltd by return e-mail or 
> by telephone on +613 9945 7510.  In this case, you should not read, 
> print, re-transmit, store or act in reliance on this e-mail or any 
> attachments, and should destroy all copies of them.  This e-mail and 
> any attachments are confidential and may contain legally privileged 
> information and/or copyright material of Planet Innovation Pty Ltd or 
> third parties. You should only re-transmit, distribute or 
> commercialise the material if you are authorised to do so.  Although 
> we use virus scanning software, we deny all liability for viruses or 
> alike in any message or attachment. This notice should not be removed.
>
> **

More information about the samba mailing list