[Samba] wbinfo not resolving SID to username

Rowland Penny rpenny at samba.org
Mon Jul 2 12:08:47 UTC 2018

On Mon, 2 Jul 2018 13:41:16 +0200
"Ing. Claudio Nicora" <claudio.nicora at gmail.com> wrote:

> > Now winbind can map some of these xidNumbers to names, but not all
> > and it will not map any xidNumbers to names if libnss_winbind isn't
> > set up correctly.
> Now I've changed /etc/nsswitch.conf and added "winbind" like this:
> # cat /etc/nsswitch.conf
> passwd:         compat systemd winbind
> group:          compat systemd winbind
> shadow:         compat winbind

you should remove 'winbind' from the shadow line, it isn't required.

> now getfacl shows group names (with some strange chars in them) but 
> still not users:

That is all perfectly normal on a Samba AD DC. The only way to get all
users and groups mapped to names, is to use uidNumber & gidNumber
attributes for all users & groups. This is NOT recommended on a DC, this
is because of sysvol, where some groups have also to be users to own
things. This is done in idmap.ldb where groups are mapped to
ID_TYPE_BOTH, if you give the wrong group a gidNumber, it will become
just a group and a group cannot own anything on Linux.
> You're right. I've added them when trying to fix it; they were not 
> present at first place.
> PS I've followed this guide step by step: 
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

Just as an aside, I think you will find that 'sysvol' is mostly empty,
you will need to sync it from the DC you joined this one to.


More information about the samba mailing list