[Samba] chgrp "Domain Admins" on folder return invalid group "Domain Admins"

Rowland penny rpenny at samba.org
Tue Apr 5 13:52:17 UTC 2016

On 05/04/16 14:32, Jules Houantonon wrote:
> Thank you Rowland for your mail.
> My aim is to create a fileserver with samba4 and with acl supported. 
> Users most logon through their windows that are in domain to access 
> their shares.
> Samba how to and your explanations open my eyes on the interaction 
> between samba users and group with the Linux OS.
> From ADUC, I assign an Unix Attribute to a user accout, and 
> automatically it is given 10000 as its UID, getent command still not 
> display it.

The next one should get 10001

> So in my plan, users should only exist in active directory. Does that 
> mean that getent can still display user or group information that will 
> only exist in AD ?

getent will display users known to the underlying OS, this is done by 
specifying what methods to use in /etc/nsswitch.conf. For users, there 
is a line that starts 'passwd', this normally contains 'compat ' or 
'files' and will mean 'getent passwd auser' will return the users info 
found in the file /etc/passwd. If you want to user a different method to 
use to get a users info, you would add it after 'compat ' or 'files' 
i.e. to use winbind 'passwd compat winbind'. This would mean that when 
you run 'getent passwd auser' , the user would be found by first 
searching in /etc/passwd (this is why you cannot have users in 
/etc/passwd & AD) and then by asking winbind. On a DC, winbind would 
assign an xidNumber and then store it in idmap.ldb *or* you can give 
each user a 'uidNumber' and then this will be used instead, only problem 
is that the old xidNumber will take precedence for a time, but you can 
short circuit this by running:

net cache flush

> Sorry if i am missing something.
> Thank you

More information about the samba mailing list