Samba-3.0.14a: wbinfo -Y builtingroup_sid can work with/without idmap_rid on ADS. But it couldn't work with idmap_rid on DOMAIN. By checking code, the function rid_idmap_get_id_from_sid() only checks if incoming sid is same with workgroup domain sid by following comparison: 470 if ( sid_compare_domain(sid, &sidstr) == 0 ) This would let the first "for" loop continue to go to the end, and make the loop variable i equal to trust.number(=1). And the code after the loop looks like 474 if (i == trust.number) { 475 DEBUG(0,("rid_idmap_get_id_from_sid: no suitable range available for sid: %s\n", 476 sid_string_static(sid))); 477 return NT_STATUS_INVALID_PARAMETER; 478 } It leads to generate an error with "no suitable range available for sid:", even if both idmap uid range and idmap gid range are exactly equal to idmap_rid range in smb.conf. Obviously, the error message is not improper. When winbind nested groups is enabled, it works for ADS and Domain level with idmap_rid. Without idmap_rid, BUILTIN group's gid can also be displayed when 'winbind nested groups = No'. smb.conf [global] workgroup = MYDOMAIN security = ads or domain allow trust domains = no idmap backend = idmap_rid:"MYDOMAIN=50000-60000" idmap uid = 50000-60000 idmap gid = 50000-60000 ......
Guenther, can you take a look at this one. It's the bug we discussed on #sdamba-technical yesterday. Thanks.
I'm not sure if I fully understand your problem but please try adding a range for BUILTIN as well [global] workgroup = MYDOMAIN security = ads or domain allow trust domains = no idmap backend = idmap_rid:"MYDOMAIN=50000-59999,BUILTIN=60000-69999" idmap uid = 50000-70000 idmap gid = 50000-70000 Does your problem still persist then ?
When padding idmap mapping range of BUILTIN domain to idmap backend, as you suggested, the problem still persists to me. And also wbinfo -Y doesn't work for MYDOMAIN's SID. I got the following errors for BUILTIN domain and MYDOMAIN domain: #>wbinfo -Y "S-1-5-32-549" Could not convert sid S-1-5-32-549 to gid #>wbinfo -Y "S-1-5-21-1078081533-1580818891-725345543-512" Could not convert sid S-1-5-21-1078081533-1580818891-725345543-512 to gid (In reply to comment #2) > I'm not sure if I fully understand your problem but please try adding a range > for BUILTIN as well > [global] > workgroup = MYDOMAIN > security = ads or domain > allow trust domains = no > idmap backend = idmap_rid:"MYDOMAIN=50000-59999,BUILTIN=60000-69999" > idmap uid = 50000-70000 > idmap gid = 50000-70000 > Does your problem still persist then ?
My fault, either set "allow trust domains = no" to "yes". It won't allow you to map any other trusted domains (because that is hard-disabled in the code) but allows you to use builtin. In future releases (attached diff) it will always be possible to assign a id-range for "Builtin". Thanks.
Created attachment 1438 [details] fix to always allow to add id-range for builtin
Fixed in Subversion.