[Samba] BUILTIN not mapping on DC

Michael Adam obnox at samba.org
Tue Apr 29 06:03:39 MDT 2014 

Hi!

Attached is a patch that fixes --gid-info and hence "getent
group" for builtins on the DC. Note that this will not produce
the same GIDs as on a member.

I need to do more testing with this but wanted to
share it for those who are interested.

(And also remember that you should not use  a range below 1000
for id mapping on a member on modern linux/unix systems, because
you risk clashes with system groups.)

Cheers - Michael

Note: cross-posting to samba-technical since this involves a patch...

On 2014-04-25 at 15:58 -0400, Ryan Bair wrote:
> Running 4.1.6-SerNet-RedHat-7.el6 on CentOS 6.5.
> 
> I've been bumping my head against GPO issues and am now wondering if its
> connected to my BUILTIN groups not mapping on my DC.
> 
> For instance on DC:
> sh-4.1# wbinfo --gid-info=544
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 544
> 
> But on a member:
> sh-4.1# wbinfo --gid-info=544
> BUILTIN\administrators:x:544:
> 
> Likewise `getent group BUILTIN\\administrators` fails on the DC.
> 
> Any ideas?
> 
> Here is my smb.conf:
> 
> [global]
>         workgroup = xxx
>         realm = xxx
>         netbios name = SERVER
>         server role = active directory domain controller
>         wins support = yes
>         idmap_ldb:use rfc2307 = yes
>         winbind nss info = rfc2307
>         template shell = /bin/sh
>         dns forwarder = x.x.x.x
>         server services = -smb +s3fs
>         dcerpc endpoint servers = -winreg -srvsvc
>         vfs objects = netatalk
>         unix extensions = no
>         tls enabled = yes
>         tls keyfile = tls/server_AD_DC.key
>         tls certfile = tls/server_AD_DC.crt
>         tls cafile = tls/xxx_CA.crt
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/xxx/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-samr-allow-builtin-groups-for-samr_OpenGroup.patch
Type: text/x-diff
Size: 1753 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140429/7bb9e025/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140429/7bb9e025/attachment.pgp>

More information about the samba-technical mailing list