[Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???

Andrew Lyon andrew.lyon at gmail.com
Fri Oct 22 03:50:24 MDT 2010 

On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann
<oliver.weinmann at vega.de> wrote:
> Hi,
>
> Any news regarding this problem? I have testet samba 3.5.6 and the
> problem still persists. I had to downgrade to 3.3 on a few machines now.
>
> Regards,
> Oliver
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Oliver Weinmann
> Sent: Donnerstag, 9. September 2010 13:13
> To: samba at lists.samba.org
> Subject: [Samba] Samba-winbind 3.5.4 primary group is always
> domainusers!!!???
>
> Dear All,
>
> I stepped over a strange issue today. I have one installation of samba
> winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a
> user is updated immediately. On a newer samba 3.5.4 installation the
> primary group is not updated at all. It always displays "domain users".
> Is there a new setting for the smb.conf? Here is my smb.conf:
>
> [global]
>        netbios name = gedail1
>        realm = SOMEDOMAIN.NET
>        workgroup = SOMEDOMAIN
>        security = ADS
>        encrypt passwords = true
>        password server = server1.somedomain.net server2.somedomain.net
>        os level = 20
>        idmap backend = ad
>        idmap config SOMEDOMAIN : backend = ad
>        idmap config SOMEDOMAIN : schema_mode = sfu
>        idmap config SOMEDOMAIN : range = 0-99999999
>        winbind nss info = sfu
>        winbind enum users = yes
>        winbind enum groups = yes
>        preferred master = no
>        winbind nested groups = Yes
>        winbind use default domain = Yes
>        max log size = 50
>        log level = 10
>        log file = /var/log/samba/log.%m
>        dns proxy = no
>        wins server = 172.20.200.18 172.18.200.20
>        allow trusted domains = no
>        client use spnego = Yes
>        use kerberos keytab = true
>        winbind refresh tickets = yes
>        idmap cache time = 1
>        winbind cache time = 1
>
> It's a W2k3 AD Domain.
>
> Regards,
> Oliver
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I've noticed the same with samba 3.5.6, our administrator user has
primary group name/gid Domain Admins but the primary group on our
linux systems is domain users.

I've noticed that searching AD for users with rfc2307/sfu attributes
shows the correct gid:

net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
sAMAccountName uidNumber gidNumber -P

sAMAccountName: Domain Users
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local
gidNumber: 10000

sAMAccountName: test
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local
uidNumber: 10009
gidNumber: 10010

The gid returned is correct, and if I change it and remove the cache
file it updates, so it is definitely being read from AD, but all users
have gid domain users:

 wbinfo -i test
test:*:10009:10000:test:/home/test:/bin/bash

Andy

More information about the samba mailing list