[Samba] [bug?] idmap.ldb xidNumber attributes overlap with existing users'/groups' uidNumber/gidNumber
anrdaemon at yandex.ru
Sun Apr 19 15:02:11 MDT 2015
I've discovered a nasty mismatch in my recently upgraded domain.
It seems that a number of builtin groups have mappings in idmap.ldb that
overlap with posixAccount mappings in the sam.ldb.
# file: var/lib/samba/sysvol/ads.example.com/scripts/
# owner: root
# group: 544
As you can see, the groups 544, 30000 and 30001 weren't resolved.
Something similar happens, if I'm trying to look at it from Windows side:
544(BUILTIN\Administrators) and 30001(SYSTEM) are resolved properly, but for
30000, the error message is along the lines of "Unable to resolve SID into
But when I bring up GUI on the same share, it magically resolve SID's
into "Server Operators" which is matching the
# ldbsearch -s sub -H /var/lib/samba/private/idmap.ldb '(|(xidNumber=30000)(xidNumber=30001))'
# record 1
# record 2
However, there lies the problem:
# getent passwd 30000 30001
It all looks much like if idmap assignment has been created before the users
(with their corresponding uidNumber's) were imported from old domain.
Should this be considered a bug, perhaps?
And how to best resolve this mess? Should I nuke idmap from the orbit and
recreate the maps anew?
With best regards,
Sunday, April 19, 2015 22:35:56
Sorry for my terrible english...
More information about the samba