[Samba] Strange GID and UID with winbindd + Samba AD DC
Rowland Penny
rowlandpenny at googlemail.com
Fri Mar 14 04:45:26 MDT 2014
On 14/03/14 10:23, Harry Jede wrote:
> On 10:43:12 wrote Chan Min Wai:
>> Dear Rowland and Steve,
>>
>> Thank you for the help.
>> So confirm that there is nothing wrong with my configuration.
> no
>
>> But a Bugs in winbind. :)
> No, i do not think so.
OH, yes there is, I use sssd instead of winbind and do not have this
problem i.e. 'getent group' lists all domain groups as well as the local
ones. When I did try to get winbind to work, I got the same result as
the OP, 'getent passwd' displayed all users, whilst 'getent group' only
displayed local groups, I had to use 'getent group <a domain group>' to
get the group to show.
>> Yea :)
>>
>> Thank again.
> Group mapping is one of the complex things in samba.
> Your configuration may or may not work. It depends on your needs.
>
> i.e. you try to configure a member server. Fine.
>
> your setup:
>
> sqlservermssqlserveradhelperuser$win2k8srv01:x:4294967295:
> allowed rodc password replication group:x:4294967295:
> enterprise read-only domain controllers:x:4294967295:
> sqlserver2005sqlbrowseruser$win2k8srv01:x:4294967295:
> denied rodc password replication group:x:4294967295:krbtgt
> read-only domain controllers:x:4294967295:
> group policy creator owners:x:4294967295:administrator
> and so on...
>
>
> All these groups has the same gidnumber. So for an posix filesystem all
> are the same, but with different names and different members. The winner
> is ??
> One may ask an oracle?
>
>
> You have asked:
> There are some strange value UID/GID
> 4294967295 <-- what number is this?
>
> Short answer:
> (4294967295+1)/1024/1024/1024=4
>
> 4 billion is the highest integer your OS supports.
> This number (minus 1) comes from the idmapping stuff.
>
>
> All your BUILTIN groups have the same gidnumber. So fix your config as
> Rowland posted before.
He has, that is when he found out that 'getent group' doesn't work. Also
this must surely be another bug, if a range is not given for the builtin
users & groups, winbind shouldn't just return 4294967295 for everything.
Rowland
>
> Think about "each group mmust have a unique gidnumber, on all servers in
> your domain and if you use multiple domains all BUILTIN groups may have
> a uniq gidnumber which should be the same for all domains"
>
>
More information about the samba
mailing list