[Samba] Samba 4 AD share: Access denied

Harry Jede walk2sun at arcor.de
Wed Aug 6 14:45:33 MDT 2014

On 21:52:01 wrote Ryan Ashley:
> Alright, I already gave every group a gIDNumber using the "advanced
> features" option via the "Attribute Editor". Each group has a unique
> ID. There are 16 built-in groups (domain admins, domain users, etc)
> and five I have. My last group ended with 10021. The first group was
> 10001. I then stopped S4 on my print-server, deleted
> "group_mapping.tdb", "winbind_cache.tdb", and "winbind_idmap.tdb",
> rebooted the server, and (S4 starts automatically) changed group
> ownership of a directory to "domain admins". When listing the
> directory with "ls -lAn", it showed 70012, not 10001. So they all
> have gIDNumber set now, but it isn't pulling through. What could
> cause that?

maybe you have xidnumbers and (u)(g)idnumbers ?

run this on your DC
# ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=70012' 

then search for this sid in sam.ldb
# ldbsearch --url=/usr/local/samba/private/sam.ldb objectsid=<returned 
sid> objectSid uinumber gidnumber

in my installation 

# ldbsearch --url=/var/lib/samba/private/idmap.ldb xidnumber=3000018 
# record 1
dn: CN=S-1-5-21-2523711511-101154222-1399562269-1104
objectSid: S-1-5-21-2523711511-101154222-1399562269-1104

# ldbsearch --url=/var/lib/samba/private/sam.ldb 
objectsid=S-1-5-21-2523711511-101154222-1399562269-1104 objectSid 
uinumber gidnumber
# record 1
dn: CN=user1,CN=Users,DC=ad,DC=schule,DC=lan
objectSid: S-1-5-21-2523711511-101154222-1399562269-1104
gidNumber: 50000


	Harry Jede

More information about the samba mailing list