[Samba] primary group gets set to 100 on Samba AD server after a while

Gerben Roest g.roest at grepit.nl
Thu Apr 28 22:12:26 UTC 2016 

I did some experimenting on my raspberry pi with samba-4.4.2 as AD
server (fresh install, no upgrade), and adding a new user:

samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash

and then checking it:

root at pi6lan:/etc# wbinfo -i grepit
ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash

root at pi6lan:/etc# id grepit
uid=3000017(ROEST\grepit) gid=100(users)
groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users)

my new user's primary group is 100 ! Why?

My smb.conf is really basic:

[global]
	netbios name = PI6LAN
	realm = ROEST.INTERN
	workgroup = ROEST
	dns forwarder = 192.168.13.253
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
	template shell = /bin/bash
        template homedir = /home/%U
	winbind use default domain = yes

root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513
primaryGroupID: 513
gidNumber: 513

I'm really curious why this new user is set to primary group 100. It
appears not to be caused by samba ad, right?

thanks

Gerben


On 28-04-16 22:20, Gerben Roest wrote:
> On 26-04-16 23:48, Jonathan Hunter wrote:
>> I had similar (ish) issues.
>>
>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of
>> the above on my DC to resolve this. (Neither of which I /wanted/ to do..
>> but since switching over and running 'net cache flush' etc., the problem
>> hasn't reoccurred)
> 
> Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to
> samba4 + AD, and I have found out that using:
> 
> net ads search "(SAMAccountName=someuser)"|egrep
> 'name|primaryGroupID|gidNumber
> 
> for all migrated users their primaryGroupID was set to 513, and their
> gidNumber was set to 100.
> 
> Adding a new user using Microsoft's RSAT this new user doesn't have a
> "gidNumber" setting. I suspect this setting to somehow cause samba to
> think that "Domain Users" is 100.
> 
> I have removed via RSAT the settings of gidNumber for all active users,
> and I hope that will fix it.
> 
> Gerben
> 
>>
>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote:
>>
>>> Hi,
>>>
>>> using Samba 4.4.2, on the Samba AD server the users have their primary
>>> group at 513 (domain users) but after a non-fixed time they get set to
>>> 100, like:
>>>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> <few minutes>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> <few minutes>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users)
>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> then when I "net cache flush" do: they're back at 513... only for a while.
>>>
>>> The Linux workstations always see the users at 513, this only happens on
>>> the Samba server itself. This can happen with intervals of a few
>>> minutes, but I've also seen it being "stable" for a few hours.
>>>
>>> any ideas?
>>>
>>> thanks,
>>>
>>> Gerben
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
> 
> 


-- 

Grep IT                      tel: 0252-769005
Egelantier 3                 fax: 0252-769006
2211 NN Noordwijkerhout     g.roest at grepit.nl
The Netherlands                 www.grepit.nl

More information about the samba mailing list