samba - Jun 2008 - question about sids and ads auth

Ok so I have a problem and I am trying to figure something out in 
regards to samba ads authentication, winbindd sid to uid/gid mapping and 
why some domain accounts can map the samba share from linux and windows 
when others cannot.

I have a few domain users that when they try to map a samba share when 
the authentication takes place fine, the uid/gid seems to work, but in 
the log.winbind-idmap I see the following lines:

   idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
   sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an 
gid [2,2,2279459400]

But if I do a winbind -n USERNAME I get the following sid
S-1-5-21-2868754479-89028146-2101856903-88482

As you can see they do not match up, is the sid listed in the log a 
system account like the netlogon or perhaps the trusted domain account 
sid or something?

I am just going through a process of elimination to figure out why some 
users work and others do not. Any help is appreciated.

-- 
Jas

On Wednesday 04 June 2008 10:58:52 Jason Gerfen wrote:
> Ok so I have a problem and I am trying to figure something out in
> regards to samba ads authentication, winbindd sid to uid/gid mapping and
> why some domain accounts can map the samba share from linux and windows
> when others cannot.
>
> I have a few domain users that when they try to map a samba share when
> the authentication takes place fine, the uid/gid seems to work, but in
> the log.winbind-idmap I see the following lines:
>
>    idmap_sid_to_gid: sid = [S-1-5-21-2868754479-89028146-2101856903-513]
>    sid [S-1-5-21-2868754479-89028146-2101856903-513] not mapped to an
> gid [2,2,2279459400]
Is the SID S-1-5-21-2868754479-89028146-2101856903 the same as the SID for the 
Samba server. In other words, is it the same as the output of:

	net getlocalsid

If not, then the above is a foreign SID and needs to be handled appropriately.

The RID is the last value in the SID sequence of fields.  The RID=513 is 
the "Domain Users" group well known account value.  In fact, if you
look at
the log is says it could not resolve the sid_to_gid (that means it could not 
resolve the group ID to a local UNIX GID.

If the domain SID is the same as your Samba server SID, this would suggest 
that if you execute "net groupmap list" you see that there is no
mapping of
the Windows group "Domain Users" to a UNIX group.  You need to create
it as
follows:

net groupmap add ntgroup="Domain Users" unixgroup=users type=d rid=513

If the SID is not the same as your Samba server SID, then you need to do one 
of two things:

a) Configure Samba to resolve all foreign domain SIDs as if they are local. 
You can do this by adding to smb.conf [globals]
	winbind user default domain = yes

_OR_

b) You can configure the IDMAP backend appropriately for your version of Samba 
so it will allocate local UIDs and GIDs for all foreign SIDs.
> But if I do a winbind -n USERNAME I get the following sid
> S-1-5-21-2868754479-89028146-2101856903-88482
That looks like a user account. What is the UID for this user?
> As you can see they do not match up, is the sid listed in the log a
> system account like the netlogon or perhaps the trusted domain account
> sid or something?
It is a group account, not a user account. If you create a file as that user, 
what is the  ownership and group (under UNIX) of the resulting file?

- John T.