[Samba] Strange GID and UID with winbindd + Samba AD DC

Sven Schwedas sven.schwedas at tao.at
Fri Mar 14 06:38:28 MDT 2014 

On 2014-03-14 13:17, Chan Min Wai wrote:
> Dear Stéphane,
> 
> Thank you for the answer. 
> 
> Not all users or groups have UID or GID. 
> 
> I use windows 7 RAT to edit the users and computer. 
> So I only enable the groups which I think need GID. 
> 
> Did we need to add GID to all groups?
> Including the builtIn and also the default group?

Yes.

> Shouldn't winbind add the builtIn group with default GID. 

There is no default uid/gid for some silly reason, you have to manually
add the posix attributes to all objects you want them to have.

> And skipped the group without GID configure?

It should, but winbind is a bit… special.

> 
> Oh I got the idea wrong?
> 
> Thank you. 
> 
> Regards, 
> Chan Min Wai 
> 
>> Stéphane PURNELLE <stephane.purnelle at corman.be> 於 14/03/2014 6:49 PTG 寫道:
>>
>> is all group have gidnumber ?
>>
>> if no.... getent group will not work.
>>
>> -----------------------------------
>> Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
>> Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
>>
>> samba-bounces at lists.samba.org wrote on 14/03/2014 11:45:26:
>>
>>> De : Rowland Penny <rowlandpenny at googlemail.com>
>>> A : sambalist <samba at lists.samba.org>, 
>>> Date : 14/03/2014 11:47
>>> Objet : Re: [Samba] Strange GID and UID with winbindd + Samba AD DC
>>> Envoyé par : samba-bounces at lists.samba.org
>>>
>>>> On 14/03/14 10:23, Harry Jede wrote:
>>>> On 10:43:12 wrote Chan Min Wai:
>>>>> Dear Rowland and Steve,
>>>>>
>>>>> Thank you for the help.
>>>>> So confirm that there is nothing wrong with my configuration.
>>>> no
>>>>
>>>>> But a Bugs in winbind. :)
>>>> No, i do not think so.
>>> OH, yes there is, I use sssd instead of winbind and do not have this 
>>> problem i.e. 'getent group' lists all domain groups as well as the local 
>>
>>> ones. When I did try to get winbind to work, I got the same result as 
>>> the OP, 'getent passwd' displayed all users, whilst 'getent group' only 
>>> displayed local groups, I had to use 'getent group <a domain group>' to 
>>> get the group to show.
>>>
>>>>> Yea :)
>>>>>
>>>>> Thank again.
>>>> Group mapping is one of the complex things in samba.
>>>> Your configuration may or may not work. It depends on your needs.
>>>>
>>>> i.e. you try to configure a member server. Fine.
>>>>
>>>> your setup:
>>>>
>>>> sqlservermssqlserveradhelperuser$win2k8srv01:x:4294967295:
>>>> allowed rodc password replication group:x:4294967295:
>>>> enterprise read-only domain controllers:x:4294967295:
>>>> sqlserver2005sqlbrowseruser$win2k8srv01:x:4294967295:
>>>> denied rodc password replication group:x:4294967295:krbtgt
>>>> read-only domain controllers:x:4294967295:
>>>> group policy creator owners:x:4294967295:administrator
>>>> and so on...
>>>>
>>>>
>>>> All these groups has the same gidnumber. So for an posix filesystem
>> all
>>>> are the same, but with different names and different members. The
>> winner
>>>> is ??
>>>> One may ask an oracle?
>>>>
>>>>
>>>> You have asked:
>>>> There are some strange value UID/GID
>>>> 4294967295 <-- what number is this?
>>>>
>>>> Short answer:
>>>> (4294967295+1)/1024/1024/1024=4
>>>>
>>>> 4 billion is the highest integer your OS supports.
>>>> This number (minus 1) comes from the idmapping stuff.
>>>>
>>>>
>>>> All your BUILTIN groups have the same gidnumber. So fix your config as
>>>> Rowland posted before.
>>>
>>> He has, that is when he found out that 'getent group' doesn't work. Also
>>
>>> this must surely be another bug, if a range is not given for the builtin
>>
>>> users & groups, winbind shouldn't just return 4294967295 for everything.
>>>
>>> Rowland
>>>
>>>>
>>>> Think about "each group mmust have a unique gidnumber, on all servers
>> in
>>>> your domain and if you use multiple domains all BUILTIN groups may
>> have
>>>> a uniq gidnumber which should be the same for all domains"
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140314/df37d54a/attachment-0001.pgp>

More information about the samba mailing list