[Samba] BUILTIN not mapping on DC

Michael Adam obnox at samba.org
Tue Apr 29 06:06:38 MDT 2014


re-posting the patch to samba-technical only
since the samba list seems to destroy my attachments.
(signature bad and whatnot).

Michael

On 2014-04-29 at 14:03 +0200, Michael Adam wrote:
> Hi!
> 
> Attached is a patch that fixes --gid-info and hence "getent
> group" for builtins on the DC. Note that this will not produce
> the same GIDs as on a member.
> 
> I need to do more testing with this but wanted to
> share it for those who are interested.
> 
> (And also remember that you should not use  a range below 1000
> for id mapping on a member on modern linux/unix systems, because
> you risk clashes with system groups.)
> 
> Cheers - Michael
> 
> Note: cross-posting to samba-technical since this involves a patch...
> 
> On 2014-04-25 at 15:58 -0400, Ryan Bair wrote:
> > Running 4.1.6-SerNet-RedHat-7.el6 on CentOS 6.5.
> > 
> > I've been bumping my head against GPO issues and am now wondering if its
> > connected to my BUILTIN groups not mapping on my DC.
> > 
> > For instance on DC:
> > sh-4.1# wbinfo --gid-info=544
> > failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not get info for gid 544
> > 
> > But on a member:
> > sh-4.1# wbinfo --gid-info=544
> > BUILTIN\administrators:x:544:
> > 
> > Likewise `getent group BUILTIN\\administrators` fails on the DC.
> > 
> > Any ideas?
> > 
> > Here is my smb.conf:
> > 
> > [global]
> >         workgroup = xxx
> >         realm = xxx
> >         netbios name = SERVER
> >         server role = active directory domain controller
> >         wins support = yes
> >         idmap_ldb:use rfc2307 = yes
> >         winbind nss info = rfc2307
> >         template shell = /bin/sh
> >         dns forwarder = x.x.x.x
> >         server services = -smb +s3fs
> >         dcerpc endpoint servers = -winreg -srvsvc
> >         vfs objects = netatalk
> >         unix extensions = no
> >         tls enabled = yes
> >         tls keyfile = tls/server_AD_DC.key
> >         tls certfile = tls/server_AD_DC.crt
> >         tls cafile = tls/xxx_CA.crt
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/xxx/scripts
> >         read only = No
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba




> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-samr-allow-builtin-groups-for-samr_OpenGroup.patch
Type: text/x-diff
Size: 1753 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140429/75d96741/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140429/75d96741/attachment.pgp>


More information about the samba-technical mailing list