[Samba] How does one "look at AD" in Samba4.1?

steve steve at steve-ss.com
Mon Mar 17 02:54:12 MDT 2014

On Mon, 2014-03-17 at 15:42 +1000, Stuart Longland wrote:
> Hi Steve,
> On 16/03/14 11:14, steve wrote:
> > On Sun, 2014-03-16 at 10:52 +1000, Stuart Longland wrote:
> >> Not so good.  At this point I'm told to "look at AD and verify that all
> >> groups have GIDs".  I'm managing this from a Linux command line; how
> >> does one do this?
> > 
> > e.g. for Domain Users:
> > ldbedit --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
> This has been a *big* help.  I knew the information I needed was in LDAP
> somewhere, just didn't know how to get at it to edit it.
> > Now add something like RID+20000:
> > gidNumber: 20513
> You mention "RID", where do I find this?  What's the significance of the
> 20000?

Using Domain Users again as an example, you'll have seen something like:
S-1-5-21-1085031214-1563985344-725345543 513
This nails Domain Users in your domain. No one else has that combination
of characters.

is called the SID. Security ID. It's unique for your domain.

is called the RID. Relative ID

We add 20000 to it simply to move it away from local Linux groups which
are often in the same sort of 500-ish region. This avoids a clash with
local groups. Windows ignores it anyway so it doesn't matter what you
use. Having 513 in it somewhere makes it more readable for others.
> > now:
> > getent group Domain\ Users
> > will return.
> Well, this half-works now: I can do a `getent group 'MYDOMAIN\Domain
> Users', and get a result.
Can you tell us the result? Do you get 20513?

> It doesn't know about 'Domain Users' however: it seems to go looking for
> this in a domain called BNEDEVFS0 (the hostname of the machine).
That comes from:
workgroup =
in smb.conf

If it's working as you expect, just add:
 winbind use default domain = Yes
to smb.conf. This will remove the BNEDEVFSO\ bit.

> That said, it seems to be working well enough that a Windows 2000 and
> Windows XP system are both talking to this domain happily exchanging
> data with it.  (Logons work, files are reported by the Linux server as
> being owned by MYDOMAIN\administrator... it'd be nice to ditch the
> MYDOMAIN\ prefix but at least it works.)
> Should I be concerned about the requirement for this prefix?
How many domains do you have? Is there a subomain for example?

With a lot of this stuff, if it's working and you're in production,
leave it.
Good luck,

More information about the samba mailing list