[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
Rowland penny
rpenny at samba.org
Tue Apr 26 18:32:34 UTC 2016
On 26/04/16 18:44, Jeff Sadowski wrote:
> So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-)
>
> So many things work better
>
> * I can now sudo without having to newgrp first
> * I can now run id and get a list of all groups I am in
> * I can now run getent group and get a list of the domain groups
>
> but I now have two unexpected groups
>
> running the following I get
>
> id | sed 's/,/\n/g' | sort > id_without.txt
> id $USER | sed 's/,/\n/g' | sort > id_with.txt
> diff id_without.txt id_with.txt
> 12a13,14
>> 2000(BUILTIN\administrators)
>> 2001(BUILTIN\users)
> 2000 and 2001?
> where did these come from?
> my domain groups start at 8000
> I have powerbroker which I use on this domain and I can easily check which
> groups have ids and 8000 is as low as they go when I sort them.
> My domain admin does not have a gid
> my domain users does and I see it in both listings
>
> Here is my smb.conf
>
> [global]
> security = ads
> realm = SUBDOMAIN.DOMAIN.TLD
> workgroup = SUBDOMAIN
> idmap config * : backend = tdb
> idmap config * : range = 2000-7999
> idmap config SUBDOMAIN:backend = ad
> idmap config SUBDOMAIN:schema_mode = rfc2307
> idmap config SUBDOMAIN:range = 8000-9999999
> winbind nss info = rfc2307
> winbind use default domain = yes
> # so that the users show up in getent
> winbind enum users = yes
> # so that the groups show up in getent
> winbind enum groups = yes
> restrict anonymous = 2
> #added the following 2 for the Badlock updates that change the defaults
> #to no longer work with my domain controllers
> ldap server require strong auth = no
> client ldap sasl wrapping = plain
Your two new groups (not that are really new) come from here:
idmap config * : range = 2000-7999
Rowland
More information about the samba
mailing list