Henry Jensen
2018-Jul-24  09:25 UTC
[Samba] Unable to map SID of domain admin although mapped in username map
Hello, Lots of messages in smbd log file on a Samba file server, which is member of a Samba AD : [2018/07/24 10:30:00.822403, 0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-1234567898-1234567897-123456789-2996 to uid or gid. The SID is that of the domain admin (username: domainadmin) which is mappped in a username map file. smb.conf: --------- [global] workgroup = MYDOM security = ADS realm = MYDOM.LAN # Default idmap config for local BUILTIN accounts and groups idmap config *:backend = tdb idmap config *:range = 80001-90000 # idmap config for the MYDOM domain idmap config MYDOM:backend = ad idmap config MYDOM:schema_mode = rfc2307 idmap config MYDOM:range = 500-80000 #Samba >= 4.6.0 #idmap config MYDOM:unix_nss_info = yes #Samba < 4.6.0 winbind nss info = rfc2307 vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes username map = /etc/samba/user.map Dos charset = 850 unix charset = UTF-8 interfaces = eth0 eth2 vfs objects = recycle recycle: repository = .Papierkorb/%u recycle:directory_mode = 0777 recycle:subdir_mode = 0770 recycle: keeptree = Yes recycle: exclude = *.tmp, *.temp, *.log, *.ldb recycle: exclude_dir = tmp recycle:versions = Yes /etc/samba/user.map: -------------------- !root = MYDOM\domainadmin Access as domainadmin from windows to this file server is working as expected. So, should I just ignore this messsages? Kind regards, Henry
Rowland Penny
2018-Jul-24  09:38 UTC
[Samba] Unable to map SID of domain admin although mapped in username map
On Tue, 24 Jul 2018 11:25:33 +0200 Henry Jensen via samba <samba at lists.samba.org> wrote:> Hello, > > Lots of messages in smbd log file on a Samba file server, which is > member of a Samba AD : > > [2018/07/24 10:30:00.822403, > 0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists) > create_canon_ace_lists: unable to map SID > S-1-5-21-1234567898-1234567897-123456789-2996 to uid or > gid. > > > The SID is that of the domain admin (username: domainadmin) which is > mappped in a username map file.Well, take it out of the username map and give 'domainadmin' a uidNumber attribute, then add 'domainadmin' to 'Domain Admins' or 'Administrators'> > > smb.conf: > --------- > [global] > workgroup = MYDOM > security = ADS > realm = MYDOM.LAN > > # Default idmap config for local BUILTIN accounts and groups > idmap config *:backend = tdb > idmap config *:range = 80001-90000 > > # idmap config for the MYDOM domain > idmap config MYDOM:backend = ad > idmap config MYDOM:schema_mode = rfc2307 > idmap config MYDOM:range = 500-80000 > > #Samba >= 4.6.0 > #idmap config MYDOM:unix_nss_info = yes > > #Samba < 4.6.0 > winbind nss info = rfc2307 > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > winbind use default domain = yes > > winbind enum users = yes > winbind enum groups = yes > username map = /etc/samba/user.map > > Dos charset = 850 > unix charset = UTF-8 > interfaces = eth0 eth2 > > vfs objects = recycle > recycle: repository = .Papierkorb/%u > recycle:directory_mode = 0777 > recycle:subdir_mode = 0770 > recycle: keeptree = Yes > recycle: exclude = *.tmp, *.temp, *.log, *.ldb > recycle: exclude_dir = tmp > recycle:versions = Yes > > > > /etc/samba/user.map: > -------------------- > !root = MYDOM\domainadminChange this to '!root = MYDOM\Administrator' Rowland
Henry Jensen
2018-Jul-24  11:30 UTC
[Samba] Unable to map SID of domain admin although mapped in username map
On Tue, 24 Jul 2018 10:38:53 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> > [2018/07/24 10:30:00.822403, > > 0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists) > > create_canon_ace_lists: unable to map SID > > S-1-5-21-1234567898-1234567897-123456789-2996 to uid or > > gid. > > > > > > The SID is that of the domain admin (username: domainadmin) which is > > mappped in a username map file. > > Well, take it out of the username map and give 'domainadmin' a > uidNumber attribute, then add 'domainadmin' to 'Domain Admins' or > 'Administrators' >The user domainadmin is already member of "Domain Admins". It was the main admin account in the NT style domain before the migration. There was no "Administrator" account. This builtin Administrator was newly created by classsicupgrade.> > /etc/samba/user.map: > > -------------------- > > !root = MYDOM\domainadmin > > Change this to '!root = MYDOM\Administrator'I see. I usually work with the "domainadmin" account when doing administrative tasks, including creating files and directories on the member file servers, which do belong to root under Unix. When I give domainadmin a UID, map MYDOM\Administrator as root instead and continue to work with domainadmin this way, those files would no longer belong to root, but to domainadmin. Since we do work with Unix rights ans POSIX-ACLs on the file servers this may have some undesireable side effects. Of course, I could do the work as MYDOM\Administrator instead in the future. But what would be the difference to the situation like it is now? Is the builtin Administrator treated by smbd differently than another arbitrary users which belong to the "Domain Admins" group (i.e. have the same rights as the builtin Administrator account)? Or, rephrasing this question, why would smbd do not print unable to map SID <SID-of-Administrator> to uid or gid. to the logs? Kind regards, Henry