[Samba] BUILTIN not mapping on DC
Rowland Penny
rowlandpenny at googlemail.com
Tue Apr 29 10:44:10 MDT 2014
On 29/04/14 13:03, Michael Adam wrote:
> Hi!
>
> Attached is a patch that fixes --gid-info and hence "getent
> group" for builtins on the DC. Note that this will not produce
> the same GIDs as on a member.
>
> I need to do more testing with this but wanted to
> share it for those who are interested.
>
> (And also remember that you should not use a range below 1000
> for id mapping on a member on modern linux/unix systems, because
> you risk clashes with system groups.)
>
> Cheers - Michael
>
> Note: cross-posting to samba-technical since this involves a patch...
>
> On 2014-04-25 at 15:58 -0400, Ryan Bair wrote:
>> Running 4.1.6-SerNet-RedHat-7.el6 on CentOS 6.5.
>>
>> I've been bumping my head against GPO issues and am now wondering if its
>> connected to my BUILTIN groups not mapping on my DC.
>>
>> For instance on DC:
>> sh-4.1# wbinfo --gid-info=544
>> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for gid 544
>>
>> But on a member:
>> sh-4.1# wbinfo --gid-info=544
>> BUILTIN\administrators:x:544:
>>
>> Likewise `getent group BUILTIN\\administrators` fails on the DC.
>>
>> Any ideas?
>>
>> Here is my smb.conf:
>>
>> [global]
>> workgroup = xxx
>> realm = xxx
>> netbios name = SERVER
>> server role = active directory domain controller
>> wins support = yes
>> idmap_ldb:use rfc2307 = yes
>> winbind nss info = rfc2307
>> template shell = /bin/sh
>> dns forwarder = x.x.x.x
>> server services = -smb +s3fs
>> dcerpc endpoint servers = -winreg -srvsvc
>> vfs objects = netatalk
>> unix extensions = no
>> tls enabled = yes
>> tls keyfile = tls/server_AD_DC.key
>> tls certfile = tls/server_AD_DC.crt
>> tls cafile = tls/xxx_CA.crt
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/xxx/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
OK, it works with 4.1.7, for the first time I can 'getent group' and get
domain groups:
root:x:0:
...........
DOMAIN\Enterprise Read-Only Domain Controllers:*:3000025:
DOMAIN\Domain Admins:*:3000010:
DOMAIN\Domain Users:*:10000:
DOMAIN\Domain Guests:*:3000003:
DOMAIN\Domain Computers:*:3000020:
DOMAIN\Domain Controllers:*:3000026:
DOMAIN\Schema Admins:*:3000007:
DOMAIN\Enterprise Admins:*:3000011:
DOMAIN\Group Policy Creator Owners:*:3000009:
DOMAIN\Read-Only Domain Controllers:*:3000027:
DOMAIN\DnsUpdateProxy:*:3000028:
Thank you very much ;-)
Rowland
More information about the samba
mailing list