[Samba] Strange GID and UID with winbindd + Samba AD DC

Fri Mar 14 06:17:32 MDT 2014

Dear Stéphane,

Thank you for the answer. 

Not all users or groups have UID or GID. 

I use windows 7 RAT to edit the users and computer. 
So I only enable the groups which I think need GID. 

Did we need to add GID to all groups?
Including the builtIn and also the default group?

Shouldn't winbind add the builtIn group with default GID. 
And skipped the group without GID configure?

Oh I got the idea wrong?

Thank you. 

Regards, 
Chan Min Wai 

> Stéphane PURNELLE <stephane.purnelle at corman.be> 於 14/03/2014 6:49 PTG 寫道：
> 
> is all group have gidnumber ?
> 
> if no.... getent group will not work.
> 
> -----------------------------------
> Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
> Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
> 
> samba-bounces at lists.samba.org wrote on 14/03/2014 11:45:26:
> 
>> De : Rowland Penny <rowlandpenny at googlemail.com>
>> A : sambalist <samba at lists.samba.org>, 
>> Date : 14/03/2014 11:47
>> Objet : Re: [Samba] Strange GID and UID with winbindd + Samba AD DC
>> Envoyé par : samba-bounces at lists.samba.org
>> 
>>> On 14/03/14 10:23, Harry Jede wrote:
>>> On 10:43:12 wrote Chan Min Wai:
>>>> Dear Rowland and Steve,
>>>> 
>>>> Thank you for the help.
>>>> So confirm that there is nothing wrong with my configuration.
>>> no
>>> 
>>>> But a Bugs in winbind. :)
>>> No, i do not think so.
>> OH, yes there is, I use sssd instead of winbind and do not have this 
>> problem i.e. 'getent group' lists all domain groups as well as the local 
> 
>> ones. When I did try to get winbind to work, I got the same result as 
>> the OP, 'getent passwd' displayed all users, whilst 'getent group' only 
>> displayed local groups, I had to use 'getent group <a domain group>' to 
>> get the group to show.
>> 
>>>> Yea :)
>>>> 
>>>> Thank again.
>>> Group mapping is one of the complex things in samba.
>>> Your configuration may or may not work. It depends on your needs.
>>> 
>>> i.e. you try to configure a member server. Fine.
>>> 
>>> your setup:
>>> 
>>> sqlservermssqlserveradhelperuser$win2k8srv01:x:4294967295:
>>> allowed rodc password replication group:x:4294967295:
>>> enterprise read-only domain controllers:x:4294967295:
>>> sqlserver2005sqlbrowseruser$win2k8srv01:x:4294967295:
>>> denied rodc password replication group:x:4294967295:krbtgt
>>> read-only domain controllers:x:4294967295:
>>> group policy creator owners:x:4294967295:administrator
>>> and so on...
>>> 
>>> 
>>> All these groups has the same gidnumber. So for an posix filesystem
> all
>>> are the same, but with different names and different members. The
> winner
>>> is ??
>>> One may ask an oracle?
>>> 
>>> 
>>> You have asked:
>>> There are some strange value UID/GID
>>> 4294967295 <-- what number is this?
>>> 
>>> Short answer:
>>> (4294967295+1)/1024/1024/1024=4
>>> 
>>> 4 billion is the highest integer your OS supports.
>>> This number (minus 1) comes from the idmapping stuff.
>>> 
>>> 
>>> All your BUILTIN groups have the same gidnumber. So fix your config as
>>> Rowland posted before.
>> 
>> He has, that is when he found out that 'getent group' doesn't work. Also
> 
>> this must surely be another bug, if a range is not given for the builtin
> 
>> users & groups, winbind shouldn't just return 4294967295 for everything.
>> 
>> Rowland
>> 
>>> 
>>> Think about "each group mmust have a unique gidnumber, on all servers
> in
>>> your domain and if you use multiple domains all BUILTIN groups may
> have
>>> a uniq gidnumber which should be the same for all domains"
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba