[Samba] Can't map SID to a uid (but works for gid)

Matthew Richardson m.richardson at ed.ac.uk
Tue Feb 10 13:52:06 UTC 2026 


On 09/02/2026 12:49, Rowland Penny wrote:
> On Mon, 9 Feb 2026 11:39:23 +0000
> Matthew Richardson via samba <samba at lists.samba.org> wrote:
> 
>> I have a samba server joined to an AD, with rfc2307 enabled.
>>
>> Samba ad/idmap config:
>>
>> security = ads
>> realm = FOO.EXAMPLE.COM
>> workgroup = FOO
>> idmap config * : backend = tdb
>> idmap config * : range = 1-1024
>> idmap config ED : backend = ad
>> idmap config ED : range = 1025-9999999
>> idmap config ED : schema_mode = rfc2307
>> idmap config ED : unix_nss_info = True
>> idmap config ED : unix_primary_group = True
>>
>> This seems to be working on the server side, for example with test
>> user account:
>>
>> wbinfo -i FOO\\josoap
>> FOO\josoap:*:143463:143463:Jo Soap:/home/josoap:/bin/bash
>>
>> On the 'real' fs on the server I have /home/josoap owned 143463:143463
>>
>> I am mounting on a client (Ubuntu 24.04 6.17 kernel, cifs version
>> 2.56). The client is not running sssd or winbind and is not in any
>> way joined to the AD or other domain.
>>
>> mount -t cifs //homes.example.com/homes /mnt/smb -o
>> username=josoap,domain=FOO,posix,vers=3.11
>>
>> If I do ls -l /mnt/smb I see:
>>
>> # ls -ln /mnt
>> total 0
>> drwxr-xr-x 2 0 143463 6 Feb  5 19:10 josoap
>>
>> So the uid is set to 0, but the gid is correct.
>>
>> Looking at the logs (sid obfuscated) I see the following:
>>
>> kernel: CIFS: fs/smb/client/readdir.c: new entry 0000000016c7f25e old
>> entry 00000000bd7f7558
>> kernel: CIFS: fs/smb/client/readdir.c: posix fattr: dev -2, reparse
>> 0, mode 10755
>> kernel: CIFS: fs/smb/client/cifsacl.c: sid_to_id: Can't map SID
>> os:S-1-5-21-XXX to a uid
>> kernel: CIFS: fs/smb/client/cifsacl.c: Unix UID 143463 returned from
>> SID Feb 09 11:22:26 w8822 kernel: CIFS: fs/smb/client/readdir.c:
>> cifs_prime_dcache: for josoap
>>
>> The same issue of uid = 0 occurs for any file/owner, and using a
>> different domain account to mount doesn't change anything.
>>
>>
>> Can anyone suggest what might be causing the uid to not be mapped
>> correctly, while it seems to handle gid fine?
>>
>> I've tried restarting samba, clearing the cache (net cache flush) and
>> also setting:
>>
>> idmap cache time = 1
>> idmap negative cache time = 1
>>
>> But that hasn't changed anything.
>>
>> Thanks,
>>
>> Matthew
>>
>>
>>
> 
>  From the above, it sounds like there are at least three machines
> involved. An AD DC (type unknown), a Samba server (Samba version
> unknown) running as a fileserver and a Ubuntu 24.04 client. The client
> is reportedly not joined to the domain.
> 
> Is the above correct ?
> 
> If it is, then can you explain just why you expect Samba on the Ubuntu
> client to know any Domain users & groups ?
> 
> Further to that, have any uidNumber & gidNumber attributes been
> added to AD, they are not there by default, following up on this, do
> you realise that because of the ranges in use, you cannot have any
> local Unix users or groups on the Samba server ?
> 
> Rowland
> 
> 
> 

Yes, 3 machines - AD is a Windows domain (exact spec unknown), Samba 
Server is 4.23.5, client is indeed not domain joined.

User objects in the AD have the rfc2307 attrs enabled (uidNumber, 
gidNumber etc). Confirmed working via wbinfo on the samba server. Ranges 
set explicitly due to conflicts between AD and local Linux users/groups 
(probably not really relevant here, but didn't want to omit config).

For context, we have some clients which are joined to a different domain 
which shared uid/gid values with this AD domain, so I was testing if the 
samba mount would show the AD-provided uid and gid values, which would 
then be mapped correctly to usernames/groups against the second domain. 
I was testing this on a machine with only local user/group info to avoid 
adding complexity, and just looking to see if uid/gid were as expected.

So I was curious as to why is the gid able to be resolved, while the uid 
is not. However if this is just a 'red herring' (perhaps linked to using 
'unix_primary_group') and samba only provides the SID, leaving it up to 
the client to lookup sid-uid mappings, then I can instead focus on 
looking at ways to connect these clients to the AD domain.

Thanks,

Matthew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20260210/9619b658/OpenPGP_signature.sig>

More information about the samba mailing list