[Samba] Domain member server: user access

Rowland Penny rpenny at samba.org
Tue Sep 26 14:05:22 UTC 2017 

On Tue, 26 Sep 2017 15:32:13 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai, 
> > 
> 

> > 
> > > Ok, i did read somewhere that
> > > Samba uses S-1-22-1 for users and S1-22-2 for groups. 
> > 
> > Any idea where ?
> Yes, 
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html
> (Unmapped users are now assigned a SID in the S-1-22-1 domain and
> unmapped groups are assigned a SID in the S-1-22-2 domain)
> https://www.samba.org/samba/history/samba-3.0.23c.html

I feel I am going to have to ask some questions about this, because
clearly neither 'S-1-22-1' or 'S-1-22-2' is a domain. Unless the '*'
domains SID is '1-2-22' ??

> 
> And... To make it even more confusion.. 
> 
> Now.. I have the same results again. 
> So,.. Domain users is mapped to GID 100, if you set GID yourself (my
> setup backend AD), and it uses the default 10000 from start of my
> setup. ( about 2-3 years ago ) 
> 
> wbinfo -G 100
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> So why am i seeing 100 here and not 10000.
> I know for 100% sure this was 10000
> So i did run : net cache flush again. 
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000
> 
> And its back to normal again. Wowhoo. 
> 
> Maybe its wize to always run : net cache flush 
> After a samba upgrade, Thoughts ? 
> 
> ... Ok, now i ssh just to my DC2. 
> To make it even strangere, on exact same server as DC1. 
> 
> And the commands run. ( exactly ) 
> 
> ssh dc2
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> So looks good...  ( you think ) 
> 
> wbinfo -G 100  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> wbinfo -G 10000  Still ok..
> S-1-5-21-2934682428-2610421433-476865461-513
> 
> Now the wbinfo again ....  
> 
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:100
> 
> And HUH... 100 ??  But it was 10000. 
> Now, if this isnt a bug i dont know. 
> 
> And now : 
> net cache flush
> wbinfo --group-info="Domain Users"
> NTDOM\domain users:x:10000  
> 
> And its bad to normal, but im questioning ... For how long....  
> 
> So IMHO, very inconistant results. 
> 
> So any more thoughts about this? 

Yes, if I run the commands on my 2nd DC, I get this:

root at dc3:~# wbinfo -G 100
S-1-5-21-1768301897-3342589593-1064908849-513
root at dc3:~# wbinfo -G 10000
S-1-5-21-1768301897-3342589593-1064908849-513
root at dc3:~# wbinfo --group-info="Domain Users"
SAMDOM\domain users:x:100:
root at dc3:~# getent group Domain\ Users
SAMDOM\domain users:x:100:
root at dc3:~# net cache flush
root at dc3:~# wbinfo --group-info="Domain Users"
SAMDOM\domain users:x:10000:
root at dc3:~# getent group Domain\ Users
SAMDOM\domain users:x:10000:

AGGGHHHH, why does it do this ????
It wasn't a bug introduced with 4.7.0, the 2nd DC is running 4.6.2

Is anybody running an earlier version that exhibits this problem ??
 
Rowland

More information about the samba mailing list