[Samba] Permission question (AD)

Viktor Trojanovic viktor at troja.ch
Mon Dec 14 23:32:03 UTC 2015

On 14.12.2015 10:27, Rowland penny wrote:
> On 14/12/15 02:15, Viktor Trojanovic wrote:
>> I'm using the AD ID mapping, so I manually give all my users and
>> groups their respective uidNumbers and gidNumbers.
>> I created a group of the type "security" with the scope "global" and
>> added some users to it, then I gave full control permission to said
>> group to certain files on a member server.
>> However, the members from this group still can only read those files.
>> Which is weird, since if I check the effective permissions from within
>> Windows, it is being confirmed that there should be full control. So,
>> windows believes that I should have full permission but it's not true.
>> So there must be something weird going on the Linux side, and I'm a
>> bit lost right now.
>> First of all, I gave this particular group the gidNumber 10004, but
>> when I type "getent group groupname" on the DC, I get some high number
>> such as 3000049. The same happens for "domain admins" while "domain
>> users" shows the correct gidNumber.
> Is this on a DC ?
Yes. But I get the same result on the file server.

>> I might know the reason for this: I created the former two groups a
>> while ago without giving them an ID - I did so only later, when I
>> noticed that I forgot to give them an ID. Is this problematic? I
>> didn't notice any problems with the domain admins group, though
>> there's only one Admin. But the other group is clearly showing this
>> issue. What can I do to solve this?
> What do you mean by 'I created the former two groups a while ago' , 
> the two groups should already exist in AD.
I meant the one security group I created manually. With domain admins, I 
meant that I didn't give it a gidNumber for a long time.

>> Secondly, does it matter that "getent passwd username" will return
>> just the domain users group in the group field, but not the additional
>> group the user is part of?
> No, winbind returns the users primary group and this is always Domain 
> Users, unless you change it, not that I recommend doing this.
OK, understood.
>> Should I maybe just delete the group, then recreate it and give it the
>> correct attributes from the start? What kind of impact will this have
>> on the shares where the deleted group had permissions, will those be
>> automatically deleted too and, if not, is it necessary to first remove
>> all permissions this group has?
> What group are you suggesting deleting ? If Domain Users/Admins, then 
> don't, if it is a group you created (and no you didn't create domain 
> users) then it probably won't help.
> Can you post a bit more info, What OS, your smb.conf etc.
> Rowland

I solved the problem in the meantime. It seems that the issue wasn't 
with the group but somehow, and I really wish to understand how though 
that's hardly a Samba topic, the computer account seems to have become 
"rogue". After I reset the computer account from ADUC and rejoined the 
domain, all worked fine again.

Having said that, I'm still wondering if it can become a problem down 
the road that getent returns the wrong group number. Specifically, what 
happens if I, from Windows, give permission to a user or group to a 
Samba share without having created uidNumber and gidNumber attributes, 
and then create them after the fact? Can this create inconsistencies?

More information about the samba mailing list