[Samba] question about sids and ads auth - Samba

This is a discussion on [Samba] question about sids and ads auth - Samba ; Ok so I have a problem and I am trying to figure something out in regards to samba ads authentication, winbindd sid to uid/gid mapping and why some domain accounts can map the samba share from linux and windows when ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] question about sids and ads auth

  1. [Samba] question about sids and ads auth

    Ok so I have a problem and I am trying to figure something out in
    regards to samba ads authentication, winbindd sid to uid/gid mapping and
    why some domain accounts can map the samba share from linux and windows
    when others cannot.

    I have a few domain users that when they try to map a samba share when
    the authentication takes place fine, the uid/gid seems to work, but in
    the log.winbind-idmap I see the following lines:

    idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
    sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
    gid [2,2,2279459400]

    But if I do a winbind -n USERNAME I get the following sid
    S-1-5-21-2868754479-89028146-2101856903-88482

    As you can see they do not match up, is the sid listed in the log a
    system account like the netlogon or perhaps the trusted domain account
    sid or something?

    I am just going through a process of elimination to figure out why some
    users work and others do not. Any help is appreciated.

    --
    Jas
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. Re: [Samba] question about sids and ads auth

    On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
    > Ok so I have a problem and I am trying to figure something out in
    > regards to samba ads authentication, winbindd sid to uid/gid mapping and
    > why some domain accounts can map the samba share from linux and windows
    > when others cannot.
    >
    > I have a few domain users that when they try to map a samba share when
    > the authentication takes place fine, the uid/gid seems to work, but in
    > the log.winbind-idmap I see the following lines:
    >
    > idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
    > sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
    > gid [2,2,2279459400]


    Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the
    Samba server. In other words, is it the same as the output of:

    net getlocalsid

    If not, then the above is a foreign SID and needs to be handled appropriately.

    The RID is the last value in the SID sequence of fields. The RID=513 is
    the "Domain Users" group well known account value. In fact, if you look at
    the log is says it could not resolve the sid_to_gid (that means it could not
    resolve the group ID to a local UNIX GID.

    If the domain SID is the same as your Samba server SID, this would suggest
    that if you execute "net groupmap list" you see that there is no mapping of
    the Windows group "Domain Users" to a UNIX group. You need to create it as
    follows:

    net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513

    If the SID is not the same as your Samba server SID, then you need to do one
    of two things:

    a) Configure Samba to resolve all foreign domain SIDs as if they are local.
    You can do this by adding to smb.conf [globals]
    winbind user default domain = yes

    _OR_

    b) You can configure the IDMAP backend appropriately for your version of Samba
    so it will allocate local UIDs and GIDs for all foreign SIDs.

    > But if I do a winbind -n USERNAME I get the following sid
    > S-1-5-21-2868754479-89028146-2101856903-88482


    That looks like a user account. What is the UID for this user?

    > As you can see they do not match up, is the sid listed in the log a
    > system account like the netlogon or perhaps the trusted domain account
    > sid or something?


    It is a group account, not a user account. If you create a file as that user,
    what is the ownership and group (under UNIX) of the resulting file?

    - John T.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  3. Re: [Samba] question about sids and ads auth

    John H Terpstra wrote:
    > On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
    >> Ok so I have a problem and I am trying to figure something out in
    >> regards to samba ads authentication, winbindd sid to uid/gid mapping and
    >> why some domain accounts can map the samba share from linux and windows
    >> when others cannot.
    >>
    >> I have a few domain users that when they try to map a samba share when
    >> the authentication takes place fine, the uid/gid seems to work, but in
    >> the log.winbind-idmap I see the following lines:
    >>
    >> idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
    >> sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
    >> gid [2,2,2279459400]

    >
    > Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the
    > Samba server. In other words, is it the same as the output of:
    >
    > net getlocalsid


    No, not the same output.

    >
    > If not, then the above is a foreign SID and needs to be handled appropriately.
    >
    > The RID is the last value in the SID sequence of fields. The RID=513 is
    > the "Domain Users" group well known account value. In fact, if you look at
    > the log is says it could not resolve the sid_to_gid (that means it could not
    > resolve the group ID to a local UNIX GID.


    Just picked up on this portion of the SID

    >
    > If the domain SID is the same as your Samba server SID, this would suggest
    > that if you execute "net groupmap list" you see that there is no mapping of
    > the Windows group "Domain Users" to a UNIX group. You need to create it as
    > follows:
    >
    > net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513


    Was performed.

    >
    > If the SID is not the same as your Samba server SID, then you need to do one
    > of two things:
    >
    > a) Configure Samba to resolve all foreign domain SIDs as if they are local.
    > You can do this by adding to smb.conf [globals]
    > winbind user default domain = yes
    >


    winbind use default domain = yes? not sure if 'user' is a typo.

    > _OR_
    >
    > b) You can configure the IDMAP backend appropriately for your version of Samba
    > so it will allocate local UIDs and GIDs for all foreign SIDs.
    >


    I currently have the following configured for my AD users:
    idmap config SCL:backend = ad

    >> But if I do a winbind -n USERNAME I get the following sid
    >> S-1-5-21-2868754479-89028146-2101856903-88482

    >
    > That looks like a user account. What is the UID for this user?


    1000011, this user actually is able to authenticate through AD as well
    as map the drive. I am currently having a problem with some users not
    able to map the drive due to 'error 67 occured' when running 'net use x:
    \\server\share' from windows clients.

    >
    >> As you can see they do not match up, is the sid listed in the log a
    >> system account like the netlogon or perhaps the trusted domain account
    >> sid or something?

    >


    I have been looking through AD users in the CN=Users container and seem
    to have some discrepancies with my rfc2307 attributes, let me modify
    those and test some more.

    > It is a group account, not a user account. If you create a file as that user,
    > what is the ownership and group (under UNIX) of the resulting file?
    >
    > - John T.



    --
    Jas
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread