[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?

[Rowland penny]

On 26/04/16 18:44, Jeff Sadowski wrote:
> So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-)
>
> So many things work better
>
> * I can now sudo without having to newgrp first
> * I can now run id and get a list of all groups I am in
> * I can now run getent group and get a list of the domain groups
>
> but I now have two unexpected groups
>
> running the following I get
>
> id | sed 's/,/\n/g' | sort > id_without.txt
> id $USER | sed 's/,/\n/g' | sort > id_with.txt
> diff id_without.txt id_with.txt
> 12a13,14
>> 2000(BUILTIN\administrators)
>> 2001(BUILTIN\users)
> 2000 and 2001?
> where did these come from?
> my domain groups start at 8000
> I have powerbroker which I use on this domain and I can easily check which
> groups have ids and 8000 is as low as they go when I sort them.
> My domain admin does not have a gid
> my domain users does and I see it in both listings
>
> Here is my smb.conf
>
> [global]
>     security = ads
>     realm = SUBDOMAIN.DOMAIN.TLD
>     workgroup = SUBDOMAIN
>     idmap config * : backend = tdb
>     idmap config * : range = 2000-7999
>     idmap config SUBDOMAIN:backend = ad
>     idmap config SUBDOMAIN:schema_mode = rfc2307
>     idmap config SUBDOMAIN:range = 8000-9999999
>     winbind nss info = rfc2307
>     winbind use default domain = yes
>     # so that the users show up in getent
>     winbind enum users = yes
>     # so that the groups show up in getent
>     winbind enum groups = yes
>     restrict anonymous = 2
>     #added the following 2 for the Badlock updates that change the defaults
>     #to no longer work with my domain controllers
>     ldap server require strong auth = no
>     client ldap sasl wrapping = plain

Your two new groups (not that are really new) come from here:
idmap config * : range = 2000-7999

Rowland