[Samba] Domain member server: user access

Stefan G. Weichinger lists at xunil.at
Tue Oct 10 07:19:11 UTC 2017

Am 2017-10-09 um 21:57 schrieb Rowland Penny via samba:
> On Mon, 9 Oct 2017 21:35:39 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>> Am 2017-10-09 um 21:04 schrieb Rowland Penny via samba:
>>> It isn't supposed to work like this and it didn't used to work like
>>> this.
>> Then the software shouldn't allow me to do so and/or give useful 
>> feedback, don't you agree?
> I don't see how you could be stopped from doing this, when a user or
> group first contacts a DC, it is given an 'xidNumber' attribute in
> idmap.ldb, containing the next available number in the 3000000' range.
> If you decide to give this user or group a uidNumber or gidNumber
> attribute, this should be used instead, which is what happens when you
> run 'net cache flush'. The problem is, you shouldn't have to run the
> 'net' command at all and you didn't used to have to. If we could narrow
> it down to when it started not working correctly, it might help.

The admin there created a group via RSAT.
And that group was not visible/usable on the DM server.

Only after that I tried to figure out things on the shell, digging for
the group on both servers via getent and wbinfo.

Until here there was no decision for a uidNumber or gidNumber.
He did not set one via RSAT. Does he have to do that?

I then deleted the group via samba-tool and created it again:

samba-tool group create gfass --nis-domain=arbeitsgruppe --gid-number=10580

If this is wrong, I am happy to learn how to do that correctly.

I understand that running

wbinfo --group-info="gfass"

is problematic as long as the reported bug isn't fixed, correct?

thanks, Stefan

More information about the samba mailing list