[Samba] idmapping working for all domain users except Administrator, works for most groups
gaiseric.vandal at gmail.com
Fri May 29 13:13:38 MDT 2015
I have a classic domain. The PDC and BDC are Samba 3.6.25 on Solaris
11. I have two domain members also Samba 3.6.25 on Solaris 11. I have
two domain members that are samba 4.1.17 on Fedora Core 21. LDAP
backend for unix and samba accounts.
in smb.conf on member servers
idmap config * : backend = tdb
idmap config * : range = 5000-6000
idmap config MYDOMAIN : backend = nss
#idmap config MYDOMAIN : range = 100-300
idmap config MYDOMAIN : range = 100-900
The administrator account initially had a uid under 100, so I changed
that to a higher number. The Domain Admin group had a gid > 300 so I
had to fix the idmap range. I did delete all cache files and restarted
winbind is running and nsswitch.conf uses winbind for "Windows" names
and ldap (via sssd) for unix names.
Idmapping works fine for all domain users except the domain
]# getent passwd "MYDOMAIN\myname"
# getent passwd "MYDOMAIN\Administrator"
The "id" and "wbinfo -i" commands also work for all users by the
The winbind -n command does show that Administrator has a valid SID.
# wbinfo -n "MYDOMAIN\Administrator"
S-1-5-21-ZZZZ-ZZZZ-ZZZZ-500 SID_USER (1)
The log.winbindd file shows
[2015/05/29 14:48:26.042571, 3]
[2015/05/29 14:48:26.358082, 5]
Could not convert sid S-1-5-21-ZZZZ-ZZZZ-ZZZZ-500:
I change the Administrator's primary from from "Domain Admins" to a
group with no spaces in the same.
Related this this , the idmapping for select domain groups may or may
not be working
# getent group "MYDOMAIN\Domain Users"
# getent group "MYDOMAIN\sales"
Either the problem is with groups with spaces in names or groups that
have well known SIDs. BUt the only groups with spaces are those with
well known sids. The undelying unix groups will also have spaces. This
is ok on the Solaris 11 Samba 3.x machines.
I appreciate any advice.
More information about the samba