"No mapping between account names and security IDs was done."

I want to chronicle this in the case someone runs into it in the future.  To begin with, this post very specifically refers to OS X Server, so, if you're seeing this message, and you're joining to a real Windows server or other Samba server, this isn't the answer.

I had to troubleshoot an OS X Server that had a little OpenDirectory meltdown.  That was easy enough to restore, and all of the Macs had no problem logging in and authenticating.  The Windows XP machines on this network, however, couldn't connect up.  Trying to re-join the domain provided by the OS X Server would result in the message "No mapping between account names and security IDs was done."

I immediately ran "net groupmap list".  True to form, everything looked mapped just fine.  Like all other Samba installations, the OS X variant relies on several text and binary files for its configuration:

- /etc/smb.conf
This is the main configuration file, and determines which shares are available, how the server acts, and more.  The Server Admin tool actually does a pretty good job of maintaining this file.  If you ever do need to customize it beyond what SA provides y editing it directly (like, changing the umask for a share, perhaps), lock it with chflags and never use SA to edit it again.

- Contents of /var/samba
This contains various tdb files (trivial database) that samba uses to keep track of group mappings and other settings.

- /var/db/samba/secrets.tdb
Stores the domain SID and ldap admin's password.  Super critical.  You will need to keep this file in-sync if you change your ldap admin password with the opendirectorypdb utility.  It's not well documented, but you can glean some of its use from the the /etc/smb.conf file.  To update the password and admin authority, right from the server, use:

# opendirectorypdbconfig -c set_authenticator -r (ldap-admin) -p (password) -n "/LDAPv3/"

You can also update the SID in secrets.tdb with
# net rpc GETSID
So, what happened in the case of said server?  Interestingly, Apple stores one more bit of information, and not in the file system like the traditional samba config.  It's stored in LDAP.

Launch Workgroup Manager, and make sure you have "Show 'All Records' tab and Inspector" selected in the preferences.  Click on the 'Inspector' tab:

Figure 1: Highlighted inspector tab

Change the drop-down menu to 'Config'.  The first choice in the list is "CIFSServer".  Very strange that this is the only reference to the protocol as CIFS, rather than smb.  This record stores, among other things, two plist files, each of which references the domain SID.  If this doesn't match what samba knows as the SID, things just aren't going to work out.  You can find out what samba thinks the SID is with the net command:
# net getlocalsid example
SID for domain example is: S-1-5-21-345636990-1847564683-8037561256

...where "example" is the domain name in question.  Copy the SID, edit the XMLPlist and apple-xmlplist and paste in the 'correct' SID where appropriate.

You should be able to reset samba by setting the smb server as "Standalone", stopping smb, nuking the contents of /var/samba and /var/db/samba and restarting.  You can them promote to PDC again and test joining the domain.

Do note, though, that user profiles may act up after this SMloBotomy.  There are ways and tools that deal with this, like the 'profiles' utility, and some from Microsoft (that don't ship with Windows Server!!!  Why do I have to download admin utilities separately?).  You can also export the profile ahead of time and mark it for use by 'everyone'.

Presumably, you could go the other way and update your samba SID to match the value stored in the directory.  Frankly, I just found this to be a little easier: no group remapping involved.

Why the directory wasn't updated after configuring (and reconfiguring) samba is a bit odd.  Not sure if you can just nuke the CIFSServer record and let it reconstruct.  I get the feeling this is a bug buried somewhere, but I really haven't had the time to do any in-depth testing.

Hope that helps someone out there!


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Woah. You just saved me with

Woah. You just saved me with this one, man... I don't know *how* you figured it out, but simply copy n' pasting the SID into the inspector in Server Admin fixed it! Strange thing is, though, it came out of nowhere... I was able to successfully bind 5 workstations to my newly-setup Xserve, and all of a sudden I couldn't bind anymore. No changes to OD whatsoever. Repromoting the server to a PDC also had no effect. Thanks a million, man!

Mark Daniel

It is a bit annoying that

It is a bit annoying that demoting doesn't rip those entries out of OD. Not only wouldn't you be able to bind a new machine, but logging in will also fail. Changing your root password will cause this to fail in a slightly different way, but that's why I tried opendirectorypdbconfig.

Really happy it helped.

Kudos to you Edward!

Kudos to you Edward. I found this web page after many, many hours of
reading the Samba HOWTO and Reference Guide and scouring the Apple
support pages, macenterprise.org, and afp548.com, amongst others after
rebuilding a server that wouldn't allow Windows clients to bind.
Following your advice, with a few differences to follow, I had the
several day problem resolved within minutes! If only I had been wise
enough to Google properly sooner!

Unique to my situation and possibly helpful to others:

I didn't use:

# opendirectorypdbconfig -c set_authenticator -r (ldap-admin) -p (password) -n /LDAPv3/


# net rpc GETSID

When I used the Inspector in Workgroup Manager to edit CIFSServer I only
found one of the two files: XMLPlist. Following your instructions for
the single Plist worked.

delete the contents of the two samba directories but leave the directories
make copies of everything before editing

To paraphrase Tennessee Williams: I rely on the kindness of strangers when lost

Happy to Help

Alan - happy to help. You certainly may not have needed every single command. The opendirectorypdbconfig command is only needed if the authenticator gets out of sync between samba and OD - which will give you a similar message. With net rpc GETSID, I just wanted to show a way to retrieve the SID on a working install.

Again, my pleasure - glad it saved you further struggle.

I have been trying to

I have been trying to connect to an OS X Server but I couldn't get all my machines to work because of this error. After carefully reading your directions I have finally done it. All I want to say is thank you very much guys for taking your time and post about it.
Mary-Anne Davis, CEO of Texas home security systems.

I also wanted to get rid of

I also wanted to get rid of this annoying issue. Though, i am newbie to OS X but Edward, i tried your trick, Thanks for help :)


Allen, from HGH Resources