[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?

Rowland penny rpenny at samba.org
Tue Apr 26 20:23:15 UTC 2016 

On 26/04/16 20:41, Jeff Sadowski wrote:
> I think I know then. Are those groups from a local samba database?
> I might have deleted it in the past and when the upgrade took place it 
> may have replaced it.
>
> On Tue, Apr 26, 2016 at 12:32 PM, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 26/04/16 18:44, Jeff Sadowski wrote:
>
>         So happy for BadLock bug it finally pushed Ubuntu to upgrade
>         samba :-)
>
>         So many things work better
>
>         * I can now sudo without having to newgrp first
>         * I can now run id and get a list of all groups I am in
>         * I can now run getent group and get a list of the domain groups
>
>         but I now have two unexpected groups
>
>         running the following I get
>
>         id | sed 's/,/\n/g' | sort > id_without.txt
>         id $USER | sed 's/,/\n/g' | sort > id_with.txt
>         diff id_without.txt id_with.txt
>         12a13,14
>
>             2000(BUILTIN\administrators)
>             2001(BUILTIN\users)
>
>         2000 and 2001?
>         where did these come from?
>         my domain groups start at 8000
>         I have powerbroker which I use on this domain and I can easily
>         check which
>         groups have ids and 8000 is as low as they go when I sort them.
>         My domain admin does not have a gid
>         my domain users does and I see it in both listings
>
>         Here is my smb.conf
>
>         [global]
>             security = ads
>             realm = SUBDOMAIN.DOMAIN.TLD
>             workgroup = SUBDOMAIN
>             idmap config * : backend = tdb
>             idmap config * : range = 2000-7999
>             idmap config SUBDOMAIN:backend = ad
>             idmap config SUBDOMAIN:schema_mode = rfc2307
>             idmap config SUBDOMAIN:range = 8000-9999999
>             winbind nss info = rfc2307
>             winbind use default domain = yes
>             # so that the users show up in getent
>             winbind enum users = yes
>             # so that the groups show up in getent
>             winbind enum groups = yes
>             restrict anonymous = 2
>             #added the following 2 for the Badlock updates that change
>         the defaults
>             #to no longer work with my domain controllers
>             ldap server require strong auth = no
>             client ldap sasl wrapping = plain
>
>
>     Your two new groups (not that are really new) come from here:
>
>     idmap config * : range = 2000-7999
>
>     Rowland
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

No, they are Active Directory objects:

BUILTIN\administrators has the SID: S-1-5-32-544
BUILTIN\users has the SID: S-1-5-32-545

Rowland

More information about the samba mailing list