[Samba] Winbind rid + SID History creating duplicate per-user groups

Mon Jul 28 09:42:47 MDT 2014

On 28/07/14 15:52, Josh Kelley wrote:
> I had seen that the idmap directives were deprecated, and I tried
> updating them, but it didn't help.  I tried both
>      idmap config * : backend  = rid
>      idmap config * : range = 10000-30000
> and
>      idmap config MYDOMAIN : backend = rid
>      idmap config MYDOMAIN : range = 10000-30000
>
> Users are created on the Active Directory servers (by another
> department at our company).  As far as I can tell, the user groups
> (like my jkelley group) are coming from winbind itself: they're not in
> /etc/group or /etc/gshadow, they don't show up in Active Directory
> Users and Computers, but they do show up if I run wbinfo --group-info.
>
> Here's my complete smb.conf.
>
> [global]
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN.LOCAL
>     server string = %h server (Samba, Ubuntu)
>     dns proxy = no
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     syslog = 0
>     panic action = /usr/share/samba/panic-action %d
>     security = ads
>     encrypt passwords = true
>     passdb backend = tdbsam
>     obey pam restrictions = yes
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     pam password change = yes
>     map to guest = bad user
>     idmap backend = rid
>     idmap uid = 10000-30000
>     idmap gid = 10000-30000
>     template homedir = /home/%U
>     template shell = /bin/bash
>     winbind enum groups = yes
>     winbind enum users = yes
>     winbind use default domain = yes
>     winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN
>     usershare allow guests = yes
>
> [homes]
>     comment = Home Directories
>     browseable = no
>     read only = no
>     create mask = 0700
>     directory mask = 0700
>     valid users = %S
>
> [printers]
>     comment = All Printers
>     browseable = no
>     path = /var/spool/samba
>     printable = yes
>     guest ok = no
>     read only = yes
>     create mask = 0700
>
> [print$]
>     comment = Printer Drivers
>     path = /var/lib/samba/printers
>     browseable = yes
>     read only = yes
>     guest ok = no
>
> And /etc/nsswitch.conf, just in case it helps:
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> #hosts:          files dns
> hosts:          files dns mdns4
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
There is quite a lot of your smb.conf that is not really required any 
more, have a look here:

  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

I know it says that it is for a member server, but the same setup can be 
used for a linux client.

I do not think that winbind itself can create users and groups, 
simplifying things a lot, it just pulls info from somewhere, in this 
case the AD database, so if your users have a group with the same name 
as their username, somebody or something is creating them.

Rowland