[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?

Russell R Poyner russell.poyner at wisc.edu
Mon Feb 19 23:11:37 UTC 2018

I'm struggling with a permission problem on a samba server that is 
configured to resolve unix uids and gids via nss using sssd. This mostly 
works. The windows side sees files as being owned by SID=S-1-22-<unix 
uid of user> and the group is SID=S-1-22-<unix gid of group>

This all works fine for files owned by the windows user, or files that 
are world readable, but fails for files owned by root, but belonging to 
a the user's primary group.

On the linux side:
-rw-rw----  1 poyner  pvt-poyner  0 Feb 19 17:32 poynerFile
drwxrws---  2 root    pvt-poyner  2 Feb 19 19:30 rootPoynerDir

On the windows side using powershell get-acl

get-acl .\poynerDir\
Path      Owner            Access
----      -----            ------
poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow  FullControl...


get-acl .\rootPoynerDir\
get-acl : Attempted to perform an unauthorized operation.

This is very similar to bug 12719 which was closed with advice to use 


So is winbindd now the only option for resolving UID and GID?

Is idmap_nss deprecated? Or only supported for unix users in the local 
password file?

My config

    workgroup = ENGR
    server string = cbeserv
    security = ADS
    load printers = no
    realm = AD.SCHOOL.EDU

    min protocol = SMB2

    dns proxy = no
    unix extensions = no
    nmbd bind explicit broadcast = no
    oplocks = yes
    level2 oplocks = yes
    kernel oplocks = no

passwd:     files sss
shadow:     files
group:      files sss

Russ Poyner

More information about the samba mailing list