[Samba] primary group gets set to 100 on Samba AD server after a while [SOLVED]

Fri Apr 29 15:40:33 UTC 2016

On 29-04-16 08:45, Rowland penny wrote:
> On 28/04/16 23:12, Gerben Roest wrote:
>> I did some experimenting on my raspberry pi with samba-4.4.2 as AD
>> server (fresh install, no upgrade), and adding a new user:
>>
>> samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash
>>
>> and then checking it:
>>
>> root at pi6lan:/etc# wbinfo -i grepit
>> ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash
>>
>> root at pi6lan:/etc# id grepit
>> uid=3000017(ROEST\grepit) gid=100(users)
>> groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users)
>>
>> my new user's primary group is 100 ! Why?
>>
>> My smb.conf is really basic:
>>
>> [global]
>>     netbios name = PI6LAN
>>     realm = ROEST.INTERN
>>     workgroup = ROEST
>>     dns forwarder = 192.168.13.253
>>     server role = active directory domain controller
>>     idmap_ldb:use rfc2307 = yes
>>     template shell = /bin/bash
>>          template homedir = /home/%U
>>     winbind use default domain = yes
>>
>> root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513
>> primaryGroupID: 513
>> gidNumber: 513
>>
>> I'm really curious why this new user is set to primary group 100. It
>> appears not to be caused by samba ad, right?
>>
>> thanks
>>
>> Gerben
>>
>>
>> On 28-04-16 22:20, Gerben Roest wrote:
>>> On 26-04-16 23:48, Jonathan Hunter wrote:
>>>> I had similar (ish) issues.
>>>>
>>>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement
>>>> both of
>>>> the above on my DC to resolve this. (Neither of which I /wanted/ to
>>>> do..
>>>> but since switching over and running 'net cache flush' etc., the
>>>> problem
>>>> hasn't reoccurred)
>>> Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to
>>> samba4 + AD, and I have found out that using:
>>>
>>> net ads search "(SAMAccountName=someuser)"|egrep
>>> 'name|primaryGroupID|gidNumber
>>>
>>> for all migrated users their primaryGroupID was set to 513, and their
>>> gidNumber was set to 100.
>>>
>>> Adding a new user using Microsoft's RSAT this new user doesn't have a
>>> "gidNumber" setting. I suspect this setting to somehow cause samba to
>>> think that "Domain Users" is 100.
>>>
>>> I have removed via RSAT the settings of gidNumber for all active users,
>>> and I hope that will fix it.
>>>
>>> Gerben
>>>
>>>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> using Samba 4.4.2, on the Samba AD server the users have their primary
>>>>> group at 513 (domain users) but after a non-fixed time they get set to
>>>>> 100, like:
>>>>>
>>>>>
>>>>> [root at sambaserver:~]# id john
>>>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>>
>>>>> <few minutes>
>>>>>
>>>>> [root at sambaserver:~]# id john
>>>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>>
>>>>> <few minutes>
>>>>>
>>>>> [root at sambaserver:~]# id john
>>>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users)
>>>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>>
>>>>> then when I "net cache flush" do: they're back at 513... only for a
>>>>> while.
>>>>>
>>>>> The Linux workstations always see the users at 513, this only
>>>>> happens on
>>>>> the Samba server itself. This can happen with intervals of a few
>>>>> minutes, but I've also seen it being "stable" for a few hours.
>>>>>
>>>>> any ideas?
>>>>>
>>>>> thanks,
>>>>>
>>>>> Gerben
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>>
>>>
>>
> 
> Because you think that by giving a user a gidNumber, this will be used
> for the users primary group :-)
> 
> Winbindd will use the users primaryGroupID attribute, this normally
> contains '513', it will check if this group (normally Domain Users)
> contains a gidNumber and use this if it does. If no gidNumber is found,
> it will then use the mapping in idmap.ldb and this is set to '100'

Indeed! I have used RSAT to edit the group "Domain Users", tab "UNIX
Attributes", set the NIS Domain, and edit GID to read 513.
It turns out that "net cache flush" and "smbcontrol all reload-config"
is not enough for this change, it worked only after killing samba, net
cache flush and starting samba again.

I also can confirm that if you don't edit "Domain Users" in RSAT,
editing idmap.ldb with (use your own path and sid)

ldbedit -e vim -H /usr/local/samba-4.4/private/idmap.ldb objectsid=<sid
of domain users>

and changing the xidNumber: 100 to 513, and doing smbcontrol all
reload-config and net cache flush also works.

Thanks Rowland!