[Samba] Domain member server: user access

Tue Sep 26 13:32:13 UTC 2017

Hai, 
> 

> I think you are misunderstanding what I wrote ;-)
Thats possible yes..  Lucky you better in explaining then me in english.  ;-) 

> 
> If you open 'idmap.ldb' and search for 513 (Domain Users 
> RID), you will
> find:
> 
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> cn: S-1-5-21-1768301897-3342589593-1064908849-513
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513
>  
> As you can see 'Domain Users' is mapped to the Unix group 
> '100' and if you look in /etc/group and search for '100', you 
> will find this:
> 
> users:x:100:
> 
> This means that the Windows group is mapped to the Unix group 'users'
> on a DC, up until you give Domain Users a gidNumber, then the 
> ID will change to the one you placed in the gidNumber 
> attribute in Domain Users.

Aahhh.. Ok, it changes after you set gid.. Thats a good one to remember. 

> 
> > Ok, i did read somewhere that
> > Samba uses S-1-22-1 for users and S1-22-2 for groups. 
> 
> Any idea where ?
Yes, 
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html
(Unmapped users are now assigned a SID in the S-1-22-1 domain and unmapped groups are assigned a SID in the S-1-22-2 domain) 
https://www.samba.org/samba/history/samba-3.0.23c.html

This was one that lead me to the 2 above links. 
https://stackoverflow.com/questions/31109871/mapping-sambas-s-1-22-12-sid-into-names

> 
> > 
> > wbinfo -G 100
> > S-1-5-21-3821322978-3959480180-962995944-513
> > 
> > wbinfo -G 10000
> > S-1-22-2-10000
> > 
> > S1-22-2-10000 Is the unix group with uid 10000 ( with is also in my 
> > case "Domain Users" ) But how this maps again in samba, 
> that i really 
> > dont know.
> > 
> > Arg, very confusion all.. 
> 
> Even more confusion:
> 
> On my DC:
> 
> wbinfo -G 100
> S-1-5-21-1768301897-3342589593-1064908849-513
> 
> wbinfo -G 10000
> S-1-5-21-1768301897-3342589593-1064908849-513
> 
> I have also compiled 4.7.0 and set it up as a test and I 
> cannot see any difference between the way 4.6.7 and 4.7.0 
> works on a DC i.e. '100'
> becomes '10000' after I run 'net cache flush'
> 
> Rowland
> 

And... To make it even more confusion.. 

Now.. I have the same results again. 
So,.. Domain users is mapped to GID 100, if you set GID yourself (my setup backend AD),
and it uses the default 10000 from start of my setup. ( about 2-3 years ago ) 

wbinfo -G 100
S-1-5-21-2934682428-2610421433-476865461-513

wbinfo -G 10000
S-1-5-21-2934682428-2610421433-476865461-513

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

So why am i seeing 100 here and not 10000.
I know for 100% sure this was 10000
So i did run : net cache flush again. 

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000

And its back to normal again. Wowhoo. 

Maybe its wize to always run : net cache flush 
After a samba upgrade, Thoughts ? 

... Ok, now i ssh just to my DC2. 
To make it even strangere, on exact same server as DC1. 

And the commands run. ( exactly ) 

ssh dc2

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000  

So looks good...  ( you think ) 

wbinfo -G 100  Still ok..
S-1-5-21-2934682428-2610421433-476865461-513

wbinfo -G 10000  Still ok..
S-1-5-21-2934682428-2610421433-476865461-513

Now the wbinfo again ....  

wbinfo --group-info="Domain Users"
NTDOM\domain users:x:100

And HUH... 100 ??  But it was 10000. 
Now, if this isnt a bug i dont know. 

And now : 
net cache flush
wbinfo --group-info="Domain Users"
NTDOM\domain users:x:10000  

And its bad to normal, but im questioning ... For how long....  

So IMHO, very inconistant results. 

So any more thoughts about this? 

Greetz, 

Louis