[Samba] Unable to map SID of domain admin although mapped in username map

Henry Jensen hjensen at mailbox.org
Tue Jul 24 09:25:33 UTC 2018


Lots of messages in smbd log file on a Samba file server, which is member of a Samba AD :

[2018/07/24 10:30:00.822403,  0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)                                                                                                                                                                                             
  create_canon_ace_lists: unable to map SID S-1-5-21-1234567898-1234567897-123456789-2996 to uid or gid.              

The SID is that of the domain admin (username: domainadmin) which is mappped in a username map file.

workgroup = MYDOM
security = ADS
realm = MYDOM.LAN

# Default idmap config for local BUILTIN accounts and groups
idmap config *:backend = tdb 
idmap config *:range = 80001-90000

# idmap config for the MYDOM domain
idmap config MYDOM:backend = ad
idmap config MYDOM:schema_mode = rfc2307
idmap config MYDOM:range = 500-80000

#Samba >= 4.6.0
#idmap config MYDOM:unix_nss_info = yes 

#Samba < 4.6.0
winbind nss info = rfc2307 

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

winbind use default domain = yes 

winbind enum users = yes
winbind enum groups = yes
username map = /etc/samba/user.map

Dos charset = 850
unix charset = UTF-8
interfaces = eth0 eth2

vfs objects = recycle
recycle: repository = .Papierkorb/%u
recycle:directory_mode = 0777
recycle:subdir_mode = 0770
recycle: keeptree = Yes
recycle: exclude = *.tmp, *.temp, *.log, *.ldb
recycle: exclude_dir = tmp
recycle:versions = Yes

!root = MYDOM\domainadmin

Access as domainadmin from windows to this file server is working as
expected. So, should I just ignore this messsages?

Kind regards,


More information about the samba mailing list