[Samba] Permission question (AD)

Viktor Trojanovic viktor at troja.ch
Mon Dec 14 02:15:21 UTC 2015

I'm using the AD ID mapping, so I manually give all my users and
groups their respective uidNumbers and gidNumbers.

I created a group of the type "security" with the scope "global" and
added some users to it, then I gave full control permission to said
group to certain files on a member server.

However, the members from this group still can only read those files.
Which is weird, since if I check the effective permissions from within
Windows, it is being confirmed that there should be full control. So,
windows believes that I should have full permission but it's not true.

So there must be something weird going on the Linux side, and I'm a
bit lost right now.

First of all, I gave this particular group the gidNumber 10004, but
when I type "getent group groupname" on the DC, I get some high number
such as 3000049. The same happens for "domain admins" while "domain
users" shows the correct gidNumber.

I might know the reason for this: I created the former two groups a
while ago without giving them an ID - I did so only later, when I
noticed that I forgot to give them an ID. Is this problematic? I
didn't notice any problems with the domain admins group, though
there's only one Admin. But the other group is clearly showing this
issue. What can I do to solve this?

Secondly, does it matter that "getent passwd username" will return
just the domain users group in the group field, but not the additional
group the user is part of?

Should I maybe just delete the group, then recreate it and give it the
correct attributes from the start? What kind of impact will this have
on the shares where the deleted group had permissions, will those be
automatically deleted too and, if not, is it necessary to first remove
all permissions this group has?

Any good advice appreciated.

More information about the samba mailing list