[Samba] Domain member server: user access

Rowland Penny rpenny at samba.org
Tue Sep 26 14:48:00 UTC 2017

On Tue, 26 Sep 2017 16:22:12 +0200
L.P.H. van Belle <belle at bazuin.nl> wrote:

> Read this and add it to the bug list. 
> ( as of the part "I can confirm that" ) 
> > Using ADUC i've noted that 'Domain Users' have no GID 
> > assigned, so seems that some samba ''internal'' logic assign 
> > GID 100 'by default'.
> This might be a clue to the fix. 

Don't think so ;-)

There are 'uidNumber' & 'gidNumber' attributes, Windows knows about
these, what it doesn't know about are 'xidNumber' attributes. You will
only find these in idmap.ldb on a Samba AD DC. By default Domain Users
is given the 'xidNumber' 100 in idmap.ldb, hence why Windows knows
nothing about it and why should Windows know about it, it is a Samba AD
DC Unix ID.

What I think is happening is this:

'wbinfo -G 100' is run, The '100' is mapped to the SID-RID of Domain
Users by idmap from idmap.ldb
The result is placed into the winbind cache, replacing anything for
Domain Users that is already there.
The command 'getent group Domain\ Users' is run and the cache is
consulted, returning the '100' found there.
'net cache flush' is run and the command 'getent group Domain\ Users'
is run again, there is nothing in the cache, so AD is consulted and the
correct result is returned.

Remember that the cache has a limited lifetime and as long as 'wbinfo
-G 100' isn't run, the 100 should never get into the cache.


More information about the samba mailing list