I have a problem where I can't browse to a samba share from Windows
(Server 2008); instead I get the error:
The group name could not be found
The winbind log contains the message:
could not convert gid 507 to sid
Suspecting a permissions problem, I went and looked at the files and the
group ownership has been set to BUILTIN\guests, which is not what I
want. So I try to chgrp them to the domain group:
chgrp -R 'dss users' /file
chgrp: invalid group `dss users'
But I know that that is the domain group that I want:
wbinfo -g | grep dss
dss users
wbinfo -n 'dss users'
S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2)
But winbind apparently cannot resolve it to a gid:
wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019
Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019
to gid
My nsswitch.conf file does list winbind for users and groups. My
smb.conf file contains (in part, obviously):
idmap alloc backend = tdb
idmap alloc config:range = 10000 - 4000000
idmap uid = 10000 - 4000000
idmap gid = 10000 - 4000000
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind use default domain = yes
So it is using a default domain (the correct one; I checked) and I'm not
just running out of gids. My various /var/log/samba/log.* files contain
almost exactly nothing from the time of the transaction.
Any help appreciated,
- rob.
Gaiseric Vandal
2010-Jun-23 19:04 UTC
[Samba] Winbind problem: can't convert sids and gids
Which samba version? I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and gids to users and groups from trusted domain (at least to Windows 2003 domains in mixed mode.) When I switched to a Samba 3.4.x PDC the allocation of new uids and gids broke. I suspect there is some configuration change in smb.conf I needed to make that was not obvious (to me) in the documenation. I have an ldap backend- but temporarily changing to a TDB backend didn't help. I worked around this by manually allocating uids and gids. With ldap you can do this with an ldap editor. But you can also use the wbinfo command to manuallly create uid-to-sid or gid-to-sid mappings with ldap or tdb backend. It isn't really a long term solution but fortunately account additions/deletions are minimal where I work. I did have idmap entries in smb.conf for each domain I wanted to trust, in addition to the entries you listed. On 06/23/2010 02:24 PM, Rob Moser wrote:> I have a problem where I can't browse to a samba share from Windows > (Server 2008); instead I get the error: > > The group name could not be found > > The winbind log contains the message: > > could not convert gid 507 to sid > > Suspecting a permissions problem, I went and looked at the files and the > group ownership has been set to BUILTIN\guests, which is not what I > want. So I try to chgrp them to the domain group: > > chgrp -R 'dss users' /file > chgrp: invalid group `dss users' > > But I know that that is the domain group that I want: > > wbinfo -g | grep dss > dss users > > wbinfo -n 'dss users' > S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2) > > But winbind apparently cannot resolve it to a gid: > > wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019 > Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019 > to gid > > My nsswitch.conf file does list winbind for users and groups. My > smb.conf file contains (in part, obviously): > > idmap alloc backend = tdb > idmap alloc config:range = 10000 - 4000000 > idmap uid = 10000 - 4000000 > idmap gid = 10000 - 4000000 > > winbind enum users = no > winbind enum groups = no > winbind nested groups = yes > winbind use default domain = yes > > So it is using a default domain (the correct one; I checked) and I'm not > just running out of gids. My various /var/log/samba/log.* files contain > almost exactly nothing from the time of the transaction. > > Any help appreciated, > > - rob. > >