[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?

[Jeff Sadowski]

More interesting on some machines I upgraded to 16.04 the difference isn't
there between the 2 ways of running id but those 2 groups are listed in
each.

On Tue, Apr 26, 2016 at 11:44 AM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:

> So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-)
>
> So many things work better
>
> * I can now sudo without having to newgrp first
> * I can now run id and get a list of all groups I am in
> * I can now run getent group and get a list of the domain groups
>
> but I now have two unexpected groups
>
> running the following I get
>
> id | sed 's/,/\n/g' | sort > id_without.txt
> id $USER | sed 's/,/\n/g' | sort > id_with.txt
> diff id_without.txt id_with.txt
> 12a13,14
> > 2000(BUILTIN\administrators)
> > 2001(BUILTIN\users)
>
> 2000 and 2001?
> where did these come from?
> my domain groups start at 8000
> I have powerbroker which I use on this domain and I can easily check which
> groups have ids and 8000 is as low as they go when I sort them.
> My domain admin does not have a gid
> my domain users does and I see it in both listings
>
> Here is my smb.conf
>
> [global]
>    security = ads
>    realm = SUBDOMAIN.DOMAIN.TLD
>    workgroup = SUBDOMAIN
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config SUBDOMAIN:backend = ad
>    idmap config SUBDOMAIN:schema_mode = rfc2307
>    idmap config SUBDOMAIN:range = 8000-9999999
>    winbind nss info = rfc2307
>    winbind use default domain = yes
>    # so that the users show up in getent
>    winbind enum users = yes
>    # so that the groups show up in getent
>    winbind enum groups = yes
>    restrict anonymous = 2
>    #added the following 2 for the Badlock updates that change the defaults
>    #to no longer work with my domain controllers
>    ldap server require strong auth = no
>    client ldap sasl wrapping = plain
>
>