[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
Jeff Sadowski
jeff.sadowski at gmail.com
Tue Apr 26 17:44:33 UTC 2016
So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-)
So many things work better
* I can now sudo without having to newgrp first
* I can now run id and get a list of all groups I am in
* I can now run getent group and get a list of the domain groups
but I now have two unexpected groups
running the following I get
id | sed 's/,/\n/g' | sort > id_without.txt
id $USER | sed 's/,/\n/g' | sort > id_with.txt
diff id_without.txt id_with.txt
12a13,14
> 2000(BUILTIN\administrators)
> 2001(BUILTIN\users)
2000 and 2001?
where did these come from?
my domain groups start at 8000
I have powerbroker which I use on this domain and I can easily check which
groups have ids and 8000 is as low as they go when I sort them.
My domain admin does not have a gid
my domain users does and I see it in both listings
Here is my smb.conf
[global]
security = ads
realm = SUBDOMAIN.DOMAIN.TLD
workgroup = SUBDOMAIN
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config SUBDOMAIN:backend = ad
idmap config SUBDOMAIN:schema_mode = rfc2307
idmap config SUBDOMAIN:range = 8000-9999999
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
More information about the samba
mailing list