On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
> Ok so I have a problem and I am trying to figure something out in
> regards to samba ads authentication, winbindd sid to uid/gid mapping and
> why some domain accounts can map the samba share from linux and windows
> when others cannot.
>
> I have a few domain users that when they try to map a samba share when
> the authentication takes place fine, the uid/gid seems to work, but in
> the log.winbind-idmap I see the following lines:
>
> idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
> sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
> gid [2,2,2279459400]

Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the
Samba server. In other words, is it the same as the output of:

net getlocalsid

If not, then the above is a foreign SID and needs to be handled appropriately.

The RID is the last value in the SID sequence of fields. The RID=513 is
the "Domain Users" group well known account value. In fact, if you look at
the log is says it could not resolve the sid_to_gid (that means it could not
resolve the group ID to a local UNIX GID.

If the domain SID is the same as your Samba server SID, this would suggest
that if you execute "net groupmap list" you see that there is no mapping of
the Windows group "Domain Users" to a UNIX group. You need to create it as
follows:

net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513

If the SID is not the same as your Samba server SID, then you need to do one
of two things:

a) Configure Samba to resolve all foreign domain SIDs as if they are local.
You can do this by adding to smb.conf [globals]
winbind user default domain = yes

_OR_

b) You can configure the IDMAP backend appropriately for your version of Samba
so it will allocate local UIDs and GIDs for all foreign SIDs.

> But if I do a winbind -n USERNAME I get the following sid
> S-1-5-21-2868754479-89028146-2101856903-88482

That looks like a user account. What is the UID for this user?

> As you can see they do not match up, is the sid listed in the log a
> system account like the netlogon or perhaps the trusted domain account
> sid or something?

It is a group account, not a user account. If you create a file as that user,
what is the ownership and group (under UNIX) of the resulting file?

- John T.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

John H Terpstra wrote:
> On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
>> Ok so I have a problem and I am trying to figure something out in
>> regards to samba ads authentication, winbindd sid to uid/gid mapping and
>> why some domain accounts can map the samba share from linux and windows
>> when others cannot.
>>
>> I have a few domain users that when they try to map a samba share when
>> the authentication takes place fine, the uid/gid seems to work, but in
>> the log.winbind-idmap I see the following lines:
>>
>> idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
>> sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
>> gid [2,2,2279459400]
>
> Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the
> Samba server. In other words, is it the same as the output of:
>
> net getlocalsid

No, not the same output.

>
> If not, then the above is a foreign SID and needs to be handled appropriately.
>
> The RID is the last value in the SID sequence of fields. The RID=513 is
> the "Domain Users" group well known account value. In fact, if you look at
> the log is says it could not resolve the sid_to_gid (that means it could not
> resolve the group ID to a local UNIX GID.

Just picked up on this portion of the SID

>
> If the domain SID is the same as your Samba server SID, this would suggest
> that if you execute "net groupmap list" you see that there is no mapping of
> the Windows group "Domain Users" to a UNIX group. You need to create it as
> follows:
>
> net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513

Was performed.

>
> If the SID is not the same as your Samba server SID, then you need to do one
> of two things:
>
> a) Configure Samba to resolve all foreign domain SIDs as if they are local.
> You can do this by adding to smb.conf [globals]
> winbind user default domain = yes
>

winbind use default domain = yes? not sure if 'user' is a typo.

> _OR_
>
> b) You can configure the IDMAP backend appropriately for your version of Samba
> so it will allocate local UIDs and GIDs for all foreign SIDs.
>

I currently have the following configured for my AD users:
idmap config SCL:backend = ad

>> But if I do a winbind -n USERNAME I get the following sid
>> S-1-5-21-2868754479-89028146-2101856903-88482
>
> That looks like a user account. What is the UID for this user?

1000011, this user actually is able to authenticate through AD as well
as map the drive. I am currently having a problem with some users not
able to map the drive due to 'error 67 occured' when running 'net use x:
\\server\share' from windows clients.

>
>> As you can see they do not match up, is the sid listed in the log a
>> system account like the netlogon or perhaps the trusted domain account
>> sid or something?
>

I have been looking through AD users in the CN=Users container and seem
to have some discrepancies with my rfc2307 attributes, let me modify
those and test some more.

> It is a group account, not a user account. If you create a file as that user,
> what is the ownership and group (under UNIX) of the resulting file?
>
> - John T.


--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba