[Samba] idmapping working for all domain users except Administrator, works for most groups

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri May 29 13:13:38 MDT 2015 

I have a classic domain.  The  PDC and BDC are Samba 3.6.25 on Solaris 
11.  I have two domain members also Samba 3.6.25 on Solaris 11.   I have 
two domain members that are samba 4.1.17 on Fedora Core 21.   LDAP 
backend for unix and samba accounts.


in smb.conf on member servers

        idmap config * : backend  = tdb
        idmap config * : range =  5000-6000


        idmap config MYDOMAIN : backend  = nss
        #idmap config MYDOMAIN : range = 100-300
        idmap config MYDOMAIN : range = 100-900


The administrator account initially had a uid under 100, so I changed 
that to a higher number.  The Domain Admin group had a gid > 300 so I 
had to fix the idmap range.  I did delete all cache files  and restarted 
all services.


winbind is running and nsswitch.conf uses winbind  for "Windows" names 
and ldap (via sssd) for unix names.


    Idmapping works fine for all domain users except the domain
    administrator.
    ]# getent passwd "MYDOMAIN\myname"
    MYDOMAIN\myname:*:123:300:My Name:/home/MYDOMAIN/myname:/bin/false
    # getent passwd "MYDOMAIN\Administrator"
      #


The "id" and "wbinfo -i" commands also work for all users by the 
Administrator.


The winbind -n command does show that Administrator has a valid SID.

    # wbinfo -n "MYDOMAIN\Administrator"
    S-1-5-21-ZZZZ-ZZZZ-ZZZZ-500 SID_USER (1)





The log.winbindd file shows

        [2015/05/29 14:48:26.042571,  3]
        ../source3/winbindd/winbindd_lookupsid.c:50(winbindd_lookupsid_send)
           lookupsid S-1-5-21-1196980386-547097193-1163074499-500
        [2015/05/29 14:48:26.358082,  5]
        ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
           Could not convert sid S-1-5-21-ZZZZ-ZZZZ-ZZZZ-500:
        NT_STATUS_NONE_MAPPED



I change the Administrator's primary from from "Domain Admins" to a 
group with no spaces in the same.

Related this this , the idmapping for select domain groups may or may 
not be working

     # getent group "MYDOMAIN\Domain Users"
     (no response)

    # getent group "MYDOMAIN\sales"
    MYDOMAIN\sales:x:600:MYDOMAIN\jsmith,MYDOMAIN\rsmith,MYDOMAIN\wsmith,



Either the problem is with groups with spaces in names or groups that 
have well known SIDs.   BUt the only groups with spaces are those with 
well known sids.  The undelying unix groups will also have spaces.  This 
is ok on the Solaris 11 Samba 3.x machines.



I appreciate any advice.

Thanks

More information about the samba mailing list