[Samba] Domain member server: user access

[Rowland Penny]

On Tue, 26 Sep 2017 13:54:22 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai Rowland, 
> 
> > 
> > No, you haven't done anything wrong and yes the provision 
> > does set Domain Users to '100' in idmap.ldb.
> > 
> 
> Ow..
> This i did not know, only wondering why its not BUILTIN\users ( how
> it is in windows ). Do you know as of which version this is? Of as of
> start, i really never noticed this. 

I think you are misunderstanding what I wrote ;-)

If you open 'idmap.ldb' and search for 513 (Domain Users RID), you will
find:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
cn: S-1-5-21-1768301897-3342589593-1064908849-513
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513
 
As you can see 'Domain Users' is mapped to the Unix group '100' and if
you look in /etc/group and search for '100', you will find this:

users:x:100:

This means that the Windows group is mapped to the Unix group 'users'
on a DC, up until you give Domain Users a gidNumber, then the ID will
change to the one you placed in the gidNumber attribute in Domain Users.


> Ok, i did read somewhere that 
> Samba uses S-1-22-1 for users and S1-22-2 for groups. 

Any idea where ?

> 
> wbinfo -G 100
> S-1-5-21-3821322978-3959480180-962995944-513
> 
> wbinfo -G 10000
> S-1-22-2-10000
> 
> S1-22-2-10000 Is the unix group with uid 10000
> ( with is also in my case "Domain Users" ) 
> But how this maps again in samba, that i really dont know. 
> 
> Arg, very confusion all.. 

Even more confusion:

On my DC:

wbinfo -G 100
S-1-5-21-1768301897-3342589593-1064908849-513

wbinfo -G 10000
S-1-5-21-1768301897-3342589593-1064908849-513

I have also compiled 4.7.0 and set it up as a test and I cannot see any
difference between the way 4.6.7 and 4.7.0 works on a DC i.e. '100'
becomes '10000' after I run 'net cache flush'

Rowland