[Samba] primary group gets set to 100 on Samba AD server after a while

Gerben Roest g.roest at grepit.nl
Thu Apr 28 20:20:35 UTC 2016 

On 26-04-16 23:48, Jonathan Hunter wrote:
> I had similar (ish) issues.
> 
> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of
> the above on my DC to resolve this. (Neither of which I /wanted/ to do..
> but since switching over and running 'net cache flush' etc., the problem
> hasn't reoccurred)

Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to
samba4 + AD, and I have found out that using:

net ads search "(SAMAccountName=someuser)"|egrep
'name|primaryGroupID|gidNumber

for all migrated users their primaryGroupID was set to 513, and their
gidNumber was set to 100.

Adding a new user using Microsoft's RSAT this new user doesn't have a
"gidNumber" setting. I suspect this setting to somehow cause samba to
think that "Domain Users" is 100.

I have removed via RSAT the settings of gidNumber for all active users,
and I hope that will fix it.

Gerben

> 
> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote:
> 
>> Hi,
>>
>> using Samba 4.4.2, on the Samba AD server the users have their primary
>> group at 513 (domain users) but after a non-fixed time they get set to
>> 100, like:
>>
>>
>> [root at sambaserver:~]# id john
>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>
>> <few minutes>
>>
>> [root at sambaserver:~]# id john
>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>
>> <few minutes>
>>
>> [root at sambaserver:~]# id john
>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users)
>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales)
>>
>> then when I "net cache flush" do: they're back at 513... only for a while.
>>
>> The Linux workstations always see the users at 513, this only happens on
>> the Samba server itself. This can happen with intervals of a few
>> minutes, but I've also seen it being "stable" for a few hours.
>>
>> any ideas?
>>
>> thanks,
>>
>> Gerben
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 
> 


-- 

Grep IT                      tel: 0252-769005
Egelantier 3                 fax: 0252-769006
2211 NN Noordwijkerhout     g.roest at grepit.nl
The Netherlands                 www.grepit.nl

More information about the samba mailing list