[Samba] primary group gets set to 100 on Samba AD server after a while
Gerben Roest
g.roest at grepit.nl
Thu Apr 28 22:12:26 UTC 2016
I did some experimenting on my raspberry pi with samba-4.4.2 as AD
server (fresh install, no upgrade), and adding a new user:
samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash
and then checking it:
root at pi6lan:/etc# wbinfo -i grepit
ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash
root at pi6lan:/etc# id grepit
uid=3000017(ROEST\grepit) gid=100(users)
groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users)
my new user's primary group is 100 ! Why?
My smb.conf is really basic:
[global]
netbios name = PI6LAN
realm = ROEST.INTERN
workgroup = ROEST
dns forwarder = 192.168.13.253
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513
primaryGroupID: 513
gidNumber: 513
I'm really curious why this new user is set to primary group 100. It
appears not to be caused by samba ad, right?
thanks
Gerben
On 28-04-16 22:20, Gerben Roest wrote:
> On 26-04-16 23:48, Jonathan Hunter wrote:
>> I had similar (ish) issues.
>>
>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of
>> the above on my DC to resolve this. (Neither of which I /wanted/ to do..
>> but since switching over and running 'net cache flush' etc., the problem
>> hasn't reoccurred)
>
> Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to
> samba4 + AD, and I have found out that using:
>
> net ads search "(SAMAccountName=someuser)"|egrep
> 'name|primaryGroupID|gidNumber
>
> for all migrated users their primaryGroupID was set to 513, and their
> gidNumber was set to 100.
>
> Adding a new user using Microsoft's RSAT this new user doesn't have a
> "gidNumber" setting. I suspect this setting to somehow cause samba to
> think that "Domain Users" is 100.
>
> I have removed via RSAT the settings of gidNumber for all active users,
> and I hope that will fix it.
>
> Gerben
>
>>
>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote:
>>
>>> Hi,
>>>
>>> using Samba 4.4.2, on the Samba AD server the users have their primary
>>> group at 513 (domain users) but after a non-fixed time they get set to
>>> 100, like:
>>>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> <few minutes>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> <few minutes>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users)
>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> then when I "net cache flush" do: they're back at 513... only for a while.
>>>
>>> The Linux workstations always see the users at 513, this only happens on
>>> the Samba server itself. This can happen with intervals of a few
>>> minutes, but I've also seen it being "stable" for a few hours.
>>>
>>> any ideas?
>>>
>>> thanks,
>>>
>>> Gerben
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>
>
--
Grep IT tel: 0252-769005
Egelantier 3 fax: 0252-769006
2211 NN Noordwijkerhout g.roest at grepit.nl
The Netherlands www.grepit.nl
More information about the samba
mailing list