[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
Jeff Sadowski
jeff.sadowski at gmail.com
Tue Apr 26 19:41:35 UTC 2016
I think I know then. Are those groups from a local samba database?
I might have deleted it in the past and when the upgrade took place it may
have replaced it.
On Tue, Apr 26, 2016 at 12:32 PM, Rowland penny <rpenny at samba.org> wrote:
> On 26/04/16 18:44, Jeff Sadowski wrote:
>
>> So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-)
>>
>> So many things work better
>>
>> * I can now sudo without having to newgrp first
>> * I can now run id and get a list of all groups I am in
>> * I can now run getent group and get a list of the domain groups
>>
>> but I now have two unexpected groups
>>
>> running the following I get
>>
>> id | sed 's/,/\n/g' | sort > id_without.txt
>> id $USER | sed 's/,/\n/g' | sort > id_with.txt
>> diff id_without.txt id_with.txt
>> 12a13,14
>>
>>> 2000(BUILTIN\administrators)
>>> 2001(BUILTIN\users)
>>>
>> 2000 and 2001?
>> where did these come from?
>> my domain groups start at 8000
>> I have powerbroker which I use on this domain and I can easily check which
>> groups have ids and 8000 is as low as they go when I sort them.
>> My domain admin does not have a gid
>> my domain users does and I see it in both listings
>>
>> Here is my smb.conf
>>
>> [global]
>> security = ads
>> realm = SUBDOMAIN.DOMAIN.TLD
>> workgroup = SUBDOMAIN
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-7999
>> idmap config SUBDOMAIN:backend = ad
>> idmap config SUBDOMAIN:schema_mode = rfc2307
>> idmap config SUBDOMAIN:range = 8000-9999999
>> winbind nss info = rfc2307
>> winbind use default domain = yes
>> # so that the users show up in getent
>> winbind enum users = yes
>> # so that the groups show up in getent
>> winbind enum groups = yes
>> restrict anonymous = 2
>> #added the following 2 for the Badlock updates that change the
>> defaults
>> #to no longer work with my domain controllers
>> ldap server require strong auth = no
>> client ldap sasl wrapping = plain
>>
>
> Your two new groups (not that are really new) come from here:
>
> idmap config * : range = 2000-7999
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list