[Samba] BUILTIN not mapping on DC

Rowland Penny rowlandpenny at googlemail.com
Tue Apr 29 10:44:10 MDT 2014 

On 29/04/14 13:03, Michael Adam wrote:
> Hi!
>
> Attached is a patch that fixes --gid-info and hence "getent
> group" for builtins on the DC. Note that this will not produce
> the same GIDs as on a member.
>
> I need to do more testing with this but wanted to
> share it for those who are interested.
>
> (And also remember that you should not use  a range below 1000
> for id mapping on a member on modern linux/unix systems, because
> you risk clashes with system groups.)
>
> Cheers - Michael
>
> Note: cross-posting to samba-technical since this involves a patch...
>
> On 2014-04-25 at 15:58 -0400, Ryan Bair wrote:
>> Running 4.1.6-SerNet-RedHat-7.el6 on CentOS 6.5.
>>
>> I've been bumping my head against GPO issues and am now wondering if its
>> connected to my BUILTIN groups not mapping on my DC.
>>
>> For instance on DC:
>> sh-4.1# wbinfo --gid-info=544
>> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for gid 544
>>
>> But on a member:
>> sh-4.1# wbinfo --gid-info=544
>> BUILTIN\administrators:x:544:
>>
>> Likewise `getent group BUILTIN\\administrators` fails on the DC.
>>
>> Any ideas?
>>
>> Here is my smb.conf:
>>
>> [global]
>>          workgroup = xxx
>>          realm = xxx
>>          netbios name = SERVER
>>          server role = active directory domain controller
>>          wins support = yes
>>          idmap_ldb:use rfc2307 = yes
>>          winbind nss info = rfc2307
>>          template shell = /bin/sh
>>          dns forwarder = x.x.x.x
>>          server services = -smb +s3fs
>>          dcerpc endpoint servers = -winreg -srvsvc
>>          vfs objects = netatalk
>>          unix extensions = no
>>          tls enabled = yes
>>          tls keyfile = tls/server_AD_DC.key
>>          tls certfile = tls/server_AD_DC.crt
>>          tls cafile = tls/xxx_CA.crt
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/xxx/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
OK, it works with 4.1.7, for the first time I can 'getent group' and get 
domain groups:

root:x:0:
...........
DOMAIN\Enterprise Read-Only Domain Controllers:*:3000025:
DOMAIN\Domain Admins:*:3000010:
DOMAIN\Domain Users:*:10000:
DOMAIN\Domain Guests:*:3000003:
DOMAIN\Domain Computers:*:3000020:
DOMAIN\Domain Controllers:*:3000026:
DOMAIN\Schema Admins:*:3000007:
DOMAIN\Enterprise Admins:*:3000011:
DOMAIN\Group Policy Creator Owners:*:3000009:
DOMAIN\Read-Only Domain Controllers:*:3000027:
DOMAIN\DnsUpdateProxy:*:3000028:

Thank you very much ;-)

Rowland

More information about the samba mailing list