[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?

Jeff Sadowski jeff.sadowski at gmail.com
Tue Apr 26 19:41:35 UTC 2016 

I think I know then. Are those groups from a local samba database?
I might have deleted it in the past and when the upgrade took place it may
have replaced it.

On Tue, Apr 26, 2016 at 12:32 PM, Rowland penny <rpenny at samba.org> wrote:

> On 26/04/16 18:44, Jeff Sadowski wrote:
>
>> So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-)
>>
>> So many things work better
>>
>> * I can now sudo without having to newgrp first
>> * I can now run id and get a list of all groups I am in
>> * I can now run getent group and get a list of the domain groups
>>
>> but I now have two unexpected groups
>>
>> running the following I get
>>
>> id | sed 's/,/\n/g' | sort > id_without.txt
>> id $USER | sed 's/,/\n/g' | sort > id_with.txt
>> diff id_without.txt id_with.txt
>> 12a13,14
>>
>>> 2000(BUILTIN\administrators)
>>> 2001(BUILTIN\users)
>>>
>> 2000 and 2001?
>> where did these come from?
>> my domain groups start at 8000
>> I have powerbroker which I use on this domain and I can easily check which
>> groups have ids and 8000 is as low as they go when I sort them.
>> My domain admin does not have a gid
>> my domain users does and I see it in both listings
>>
>> Here is my smb.conf
>>
>> [global]
>>     security = ads
>>     realm = SUBDOMAIN.DOMAIN.TLD
>>     workgroup = SUBDOMAIN
>>     idmap config * : backend = tdb
>>     idmap config * : range = 2000-7999
>>     idmap config SUBDOMAIN:backend = ad
>>     idmap config SUBDOMAIN:schema_mode = rfc2307
>>     idmap config SUBDOMAIN:range = 8000-9999999
>>     winbind nss info = rfc2307
>>     winbind use default domain = yes
>>     # so that the users show up in getent
>>     winbind enum users = yes
>>     # so that the groups show up in getent
>>     winbind enum groups = yes
>>     restrict anonymous = 2
>>     #added the following 2 for the Badlock updates that change the
>> defaults
>>     #to no longer work with my domain controllers
>>     ldap server require strong auth = no
>>     client ldap sasl wrapping = plain
>>
>
> Your two new groups (not that are really new) come from here:
>
> idmap config * : range = 2000-7999
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list