[Samba] Domain member server: user access
Rowland Penny
rpenny at samba.org
Tue Sep 26 14:05:22 UTC 2017
On Tue, 26 Sep 2017 15:32:13 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai,
> >
>
> >
> > > Ok, i did read somewhere that
> > > Samba uses S-1-22-1 for users and S1-22-2 for groups.
> >
> > Any idea where ?
> Yes,
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html
> (Unmapped users are now assigned a SID in the S-1-22-1 domain and
> unmapped groups are assigned a SID in the S-1-22-2 domain)
> https://www.samba.org/samba/history/samba-3.0.23c.html
I feel I am going to have to ask some questions about this, because
clearly neither 'S-1-22-1' or 'S-1-22-2' is a domain. Unless the '*'
domains SID is '1-2-22' ??
>
> And... To make it even more confusion..
>
> Now.. I have the same results again.
> So,.. Domain users is mapped to GID 100, if you set GID yourself (my
> setup backend AD), and it uses the default 10000 from start of my
> setup. ( about 2-3 years ago )
>
> wbinfo -G 100
> S-1-5-21-2934682428-2610421433-476865461-513
>
> wbinfo -G 10000
> S-1-5-21-2934682428-2610421433-476865461-513
>
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
>
> So why am i seeing 100 here and not 10000.
> I know for 100% sure this was 10000
> So i did run : net cache flush again.
>
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000
>
> And its back to normal again. Wowhoo.
>
> Maybe its wize to always run : net cache flush
> After a samba upgrade, Thoughts ?
>
> ... Ok, now i ssh just to my DC2.
> To make it even strangere, on exact same server as DC1.
>
> And the commands run. ( exactly )
>
> ssh dc2
>
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000
>
> So looks good... ( you think )
>
> wbinfo -G 100 Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
>
> wbinfo -G 10000 Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
>
> Now the wbinfo again ....
>
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
>
> And HUH... 100 ?? But it was 10000.
> Now, if this isnt a bug i dont know.
>
> And now :
> net cache flush
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000
>
> And its bad to normal, but im questioning ... For how long....
>
> So IMHO, very inconistant results.
>
> So any more thoughts about this?
Yes, if I run the commands on my 2nd DC, I get this:
root at dc3:~# wbinfo -G 100
S-1-5-21-1768301897-3342589593-1064908849-513
root at dc3:~# wbinfo -G 10000
S-1-5-21-1768301897-3342589593-1064908849-513
root at dc3:~# wbinfo --group-info="Domain Users"
SAMDOM\domain users:x:100:
root at dc3:~# getent group Domain\ Users
SAMDOM\domain users:x:100:
root at dc3:~# net cache flush
root at dc3:~# wbinfo --group-info="Domain Users"
SAMDOM\domain users:x:10000:
root at dc3:~# getent group Domain\ Users
SAMDOM\domain users:x:10000:
AGGGHHHH, why does it do this ????
It wasn't a bug introduced with 4.7.0, the 2nd DC is running 4.6.2
Is anybody running an earlier version that exhibits this problem ??
Rowland
More information about the samba
mailing list