[Samba] Very strange: Samba is unable to access one of its own files

Kees van Vloten keesvanvloten at gmail.com
Tue Nov 12 14:13:26 UTC 2024


Op 12-11-2024 om 15:06 schreef John R. Graham:
>
> On 11/12/24 08:00, Kees van Vloten via samba wrote:
>>
>> Op 12-11-2024 om 10:52 schreef Rowland Penny via samba:
>>> It looks like nss isn't set up on the DC, so '3000000' isn't being
>>> mapped to 'BUILTIN\administrators'
>> That is easy enough, just run:
>>
>> ldbsearch -H /var/lib/samba/private/idmap.ldb
>>
>> If you have multiple DCs, you have to sync this file manually between 
>> them, check https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
>>
>> - Kees
>>
>>>
>>> It would be interesting to know who ID '3000021' is, because that is
>>> the user being denied access to sysvol.
>>>
>>> Rowland
>>>
>>
> With $(ldbsearch -H /var/lib/samba/private/idmap.ldb 
> xidNumber=3000021), I get:
>
> # record 1
> dn: CN=S-1-5-21-1539267136-1287424283-733021607-1108
> cn: S-1-5-21-1539267136-1287424283-733021607-1108
> objectClass: sidMap
> objectSid: S-1-5-21-1539267136-1287424283-733021607-1108
> type: ID_TYPE_BOTH
> xidNumber: 3000021
> distinguishedName: CN=S-1-5-21-1539267136-1287424283-733021607-1108
>
> but I don't know how to map that to a machine. Meanwhile, I'm reading 
> up on the idmap_nss plugin.

This will do the mapping:

ldbsearch -H /var/lib/samba/private/sam.ldb 
'(objectSid=S-1-5-21-1539267136-1287424283-733021607-1108)' samaccountname


- Kees.

>
> - John
>
>


More information about the samba mailing list