[Samba] Unable to map SID of domain admin although mapped in username map
hjensen at mailbox.org
Tue Jul 24 11:30:03 UTC 2018
On Tue, 24 Jul 2018 10:38:53 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> > [2018/07/24 10:30:00.822403,
> > 0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> > create_canon_ace_lists: unable to map SID
> > S-1-5-21-1234567898-1234567897-123456789-2996 to uid or
> > gid.
> > The SID is that of the domain admin (username: domainadmin) which is
> > mappped in a username map file.
> Well, take it out of the username map and give 'domainadmin' a
> uidNumber attribute, then add 'domainadmin' to 'Domain Admins' or
The user domainadmin is already member of "Domain Admins". It was the
main admin account in the NT style domain before the migration. There
was no "Administrator" account. This builtin Administrator was newly
created by classsicupgrade.
> > /etc/samba/user.map:
> > --------------------
> > !root = MYDOM\domainadmin
> Change this to '!root = MYDOM\Administrator'
I see. I usually work with the "domainadmin" account when doing
administrative tasks, including creating files and directories on the
member file servers, which do belong to root under Unix.
When I give domainadmin a UID, map MYDOM\Administrator as root instead
and continue to work with domainadmin this way, those files would no
longer belong to root, but to domainadmin. Since we do work with Unix
rights ans POSIX-ACLs on the file servers this may have some
undesireable side effects.
Of course, I could do the work as MYDOM\Administrator instead in the future.
But what would be the difference to the situation like it is now? Is
the builtin Administrator treated by smbd differently than another
arbitrary users which belong to the "Domain Admins" group (i.e. have the
same rights as the builtin Administrator account)?
Or, rephrasing this question, why would smbd do not print
unable to map SID <SID-of-Administrator> to uid or gid.
to the logs?
More information about the samba