[Samba] ldbedit: no matching records - cannot edit (newly-created user)

Rowland Penny rowlandpenny241155 at gmail.com
Thu Sep 10 17:55:08 UTC 2015

On 10/09/15 18:37, Jim Seymour wrote:
> Following-up to myself...
> Started over with a new user...
> $ samba-tool user add someuser
> New Password:
> Retype Password:
> User 'someuser' created successfully
> $ wbinfo --name-to-sid someuser
>     S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110 SID_USER (1)
> $ ldbedit -e vi -H /var/lib/samba/private/idmap.ldb
>     objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
> no matching records - cannot edit
> Login on my laptop as a domain user (e.g.: SOMEDOM\someuser), then...
> $ ldbedit -e vi -H /var/lib/samba/private/idmap.ldb
>     objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
> # editing 1 records
> # record 1
> dn: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
> cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
> objectClass: sidMap
> objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
> type: ID_TYPE_BOTH
> xidNumber: 3000024
> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
> Can somebody 'splain this?
> Thanks,
> Jim

Yes, after I engaged my brain, idmap.ldb contains the mappings of Domain 
users & groups to Unix users & groups and they only get into idmap.ldb 
after samba (on the DC) first pulls the users info from AD, it only does 
this when the user or group first contacts the AD DC i.e. the user logs in.

DOH, how did I forget that !

I think you are going to have to rethink this, the users (or groups) RID 
will always be unique in the domain, so you could use this to create a 
uidNumber or gidNumber and add this to the user (or group) object.


More information about the samba mailing list