[Samba] Re: winbind: BUILTIN\users group gid 1001 conflict
Christoph Peus
cp at peus.net
Sun Mar 25 10:19:59 GMT 2007
Don Piven wrote:
> Sez Christoph Peus:
>> Hi everybody,
>>
>> I've joined a fileserver running samba 3.0.24 to an AD domain using
>> winbind and noticed that samba maps the "users" group SID
>> (5-1-5-32-545) to gid 1001 automatically. This seems to conflict with
>> one of ~2000 mappings I had to "inject" in winbinds winbindd_idmap.tdb
>> by use of net idmap dump/restore, because the fileserver had millions
>> of files with certain uid/gid ownership from a local passwd/group
>> before I did the "net ads join". The gid 1001 was allocated to the
>> group "nawi" in /etc/group before.
>> I'm unsure now which problems could be caused by this regarding security.
>> Is it possible - and usefull - to change this mapping to get a
>> "BUILTIN\users" group as expected?
>> Thanks!
>
> Have you checked the "idmap" settings in your smb.conf? In particular,
> "idmap uid" and "idmap gid" specify the range of uid/gid values used to
> map to SIDs.
Thanks for the hint, but both are set to 1000-60000, which is - as far
as I know - the correct setting if domain users/groups SIDs shall
resolve to uids/gids of this range. I assume that winbind should avoid
to use a uid/gid for BUILTIN-groups, which are already in use for a
domain group, but maybe I got something totally wrong here. It's
possible that I still haven't understood the idmap/groupmap scheme
completely yet...
Christoph
More information about the samba
mailing list