[Samba] Different "Domain Users" GIDs created by rid backend

Leszek Szczepanowski twinsen at mspanc.net
Wed Dec 14 11:49:19 UTC 2022 

Hi,

I was investigating why one user cannot write to the share.
I recognized by using temporary 777 rights on that share, that despite it
coming as exactly the same group as mine that is "Domain Users", the files
are created with different GID.

drwxrwxrwx+  2 25360 100513 4096 Dec 14 11:27 FFFF
drwxrwxrwx+  2 47740  10513 4096 Dec 14 12:22 TEst123

First one is mine
second one is his

[root at fs01 MK]# wbinfo -U 10513
S-1-5-21-725345543-1060284298-1708537768-513
[root at fs01 MK]# wbinfo -U 100513
S-1-5-21-725345543-1060284298-1708537768-513
[root at fs01 MK]# wbinfo -Y "S-1-5-21-725345543-1060284298-1708537768-513"
100513
[root at fs01 MK]# wbinfo
--lookup-sids="S-1-5-21-725345543-1060284298-1708537768-513"
S-1-5-21-725345543-1060284298-1708537768-513 -> <none>\Domain Users 2
[root at fs01 MK]# wbinfo -n "XXX\domain users"
S-1-5-21-725345543-1060284298-1708537768-513 SID_DOM_GROUP (2)
[root at fs01 MK]# wbinfo -n "domain users"
S-1-5-21-725345543-1060284298-1708537768-513 SID_DOM_GROUP (2)
[root at fs01 MK]# wbinfo -g "Domain Users 2"
[full output of all AD groups]
wbinfo -g "Domain Users gfdsgfdsfdsfdsfdsa"
[same output of all AD groups"

 Here smb.conf:

[global]
        logging = syslog
        clustering = yes
        security = ads
        realm = XXX.REDKNEE.COM
        map acl inherit = yes
        workgroup = XXX
        kerberos method = secrets and keytab
        idmap config * : backend = tdb
        ctdb:registry.tdb = yes
        netbios name = FS
        idmap config XXX: backend = rid
        idmap config * : range = 1000-7999
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        dedicated keytab file = /etc/krb5.keytab
        log level = 3
        password server = 172.16.32.5
        idmap config XXX: range = 10000-199999

[symptoms]
        read only = no
        inherit acls = yes
        guest ok = no
        browseable = yes
        path = /mnt/glusterfs/symptoms/
        create mask = 0777
        force create mode = 0777
        directory mask = 0777
        force directory mode = 0777

Please note that 777 is temporary, for debugging purposes :)

Please advice why is that?
-- 
Leszek A. Szczepanowski
twinsen at mspanc.net

More information about the samba mailing list