[Samba] Strange GID and UID with winbindd + Samba AD DC

Stéphane PURNELLE stephane.purnelle at corman.be
Fri Mar 14 04:49:32 MDT 2014 

is all group have gidnumber ?

if no.... getent group will not work.

-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 14/03/2014 11:45:26:

> De : Rowland Penny <rowlandpenny at googlemail.com>
> A : sambalist <samba at lists.samba.org>, 
> Date : 14/03/2014 11:47
> Objet : Re: [Samba] Strange GID and UID with winbindd + Samba AD DC
> Envoyé par : samba-bounces at lists.samba.org
> 
> On 14/03/14 10:23, Harry Jede wrote:
> > On 10:43:12 wrote Chan Min Wai:
> >> Dear Rowland and Steve,
> >>
> >> Thank you for the help.
> >> So confirm that there is nothing wrong with my configuration.
> > no
> >
> >> But a Bugs in winbind. :)
> > No, i do not think so.
> OH, yes there is, I use sssd instead of winbind and do not have this 
> problem i.e. 'getent group' lists all domain groups as well as the local 

> ones. When I did try to get winbind to work, I got the same result as 
> the OP, 'getent passwd' displayed all users, whilst 'getent group' only 
> displayed local groups, I had to use 'getent group <a domain group>' to 
> get the group to show.
> 
> >> Yea :)
> >>
> >> Thank again.
> > Group mapping is one of the complex things in samba.
> > Your configuration may or may not work. It depends on your needs.
> >
> > i.e. you try to configure a member server. Fine.
> >
> > your setup:
> >
> > sqlservermssqlserveradhelperuser$win2k8srv01:x:4294967295:
> > allowed rodc password replication group:x:4294967295:
> > enterprise read-only domain controllers:x:4294967295:
> > sqlserver2005sqlbrowseruser$win2k8srv01:x:4294967295:
> > denied rodc password replication group:x:4294967295:krbtgt
> > read-only domain controllers:x:4294967295:
> > group policy creator owners:x:4294967295:administrator
> > and so on...
> >
> >
> > All these groups has the same gidnumber. So for an posix filesystem 
all
> > are the same, but with different names and different members. The 
winner
> > is ??
> > One may ask an oracle?
> >
> >
> > You have asked:
> > There are some strange value UID/GID
> > 4294967295 <-- what number is this?
> >
> > Short answer:
> > (4294967295+1)/1024/1024/1024=4
> >
> > 4 billion is the highest integer your OS supports.
> > This number (minus 1) comes from the idmapping stuff.
> >
> >
> > All your BUILTIN groups have the same gidnumber. So fix your config as
> > Rowland posted before.
> 
> He has, that is when he found out that 'getent group' doesn't work. Also 

> this must surely be another bug, if a range is not given for the builtin 

> users & groups, winbind shouldn't just return 4294967295 for everything.
> 
> Rowland
> 
> >
> > Think about "each group mmust have a unique gidnumber, on all servers 
in
> > your domain and if you use multiple domains all BUILTIN groups may 
have
> > a uniq gidnumber which should be the same for all domains"
> >
> >
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list