[Samba] Domain member server: user access

Rowland Penny rpenny at samba.org
Tue Sep 26 11:05:57 UTC 2017


On Tue, 26 Sep 2017 12:49:26 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > Im pretty sure this is a bug in the DC part. 
> 
> Ahem, sorry, but i'm lost in following this therad. I've hust setup my
> test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,
> lous) on a debian jessie.
> 
> Very minimal configuration:
> 
>  root at vdcsv1:~# samba-tool testparm
>  Press enter to see a dump of your service definitions
>  
>  # Global parameters
>  [global]
>  	netbios name = VDCSV1
>  	realm = AD.FVG.LNF.IT
>  	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = LNFFVG
>  	server role = active directory domain controller
>  	template homedir = /home/%U
>  	template shell = /bin/bash
>  	idmap_ldb:use rfc2307 = yes
>  
>  [netlogon]
>  	path = /var/lib/samba/sysvol/ad.fvg.lnf.it/scripts
>  	read only = No
>  
>  [sysvol]
>  	path = /var/lib/samba/sysvol
>  	read only = No
> 
> and i've created a user:
> 
>  samba-tool user add gaio --use-username-as-cn --surname=Gaiarin
> --given-name=Marco --unix-home=/home/gaio --uid=gaio
> --uid-number=10000 --gecos="Marco Gaiarin" --login-shell=/bin/bash
> 
> and now:
> 
>  root at vdcsv1:~# id gaio
>  uid=10000(LNFFVG\gaio) gid=100(users)
> gruppi=100(users),10000(LNFFVG\unixadm),3000008(LNFFVG\domain
> admins),3000005(LNFFVG\denied rodc password replication
> group),3000005(LNFFVG\denied rodc password replication
> group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
> 
>  root at vdcsv1:~# getent group "Domain Users"
>  LNFFVG\domain users:x:100:

Try running 'net cache flush' then run the above command again.

>  root at vdcsv1:~# wbinfo -G 100
>  S-1-5-21-160080369-3601385002-3131615632-513
> 
> I've done something wrong, or is the domain provisioning in samba-tool
> that associate 'Domain Users' to gid 100?

No, you haven't done anything wrong and yes the provision does set
Domain Users to '100' in idmap.ldb.

> 
> 
> Another question: there's no way to modify users and group with
> samba-tool? I need to dron 'domain users' and recreate it? ;-)

Do not remove Domain Users, but you are correct, there is no way to
modify a user or group with samba-tool (you can do this for a user with
4.7.0), but you can use ldbedit.

Rowland




More information about the samba mailing list