[Samba] Domain Users group with multiple gid

Clemente Aguiar ca-mlsamba at arditi.pt
Sun Apr 8 13:44:30 UTC 2018 

Às 13:51 de 08-04-2018, Rowland Penny escreveu:
> On Sun, 8 Apr 2018 13:22:28 +0100
> Clemente Aguiar via samba <samba at lists.samba.org> wrote:
>
>> The samba was created by Zentyal system (http://www.zentyal.org).
>>
>> Here is smb.conf:
>>
>> [global]
>>       workgroup = arditi
>>       realm = ARDITI.PT
>>       netbios name = hera
>>       server string = Zentyal Server
>>       server role = dc
>>       server role check:inhibit = yes
>>       server services = -dns
>>       server signing = auto
>>       dsdb:schema update allowed = yes
>>       ldap server require strong auth = no
>>       drs:max object sync = 1200
>>
>>       idmap_ldb:use rfc2307 = yes
>>
>>       winbind enum users = yes
>>       winbind enum groups = yes
>>       template shell = /bin/bash
>>       template homedir = /home/%U
>>
>>       interfaces = lo,eth0
>>       bind interfaces only = yes
>>
>>       map to guest = Bad User
>>
>>       log level = 3
>>       log file = /var/log/samba/samba.log
>>       max log size = 100000
>>
>>       include = /etc/samba/shares.conf
>>
>> [netlogon]
>>       path = /var/lib/samba/sysvol/arditi.pt/scripts
>>       browspid_to_procid: messaging_dgm_get_unique failed: No such file or directoryeable = no
>>       read only = yes
>>
>> [sysvol]
>>       path = /var/lib/samba/sysvol
>>       read only = no
> It is running as an AD DC and the IDs you showed are not in the
> '3000000' range, so this means one of two things, either idmap.ldb has
> been messed with (not recommended) or the users and groups have been
> given uidNumber and gidNumber attributes (with very low numbers, again
> not recommended).
> I think it is more likely to be the later and if so, there is a bug for
> this: https://bugzilla.samba.org/show_bug.cgi?id=13054#
>
> Rowland
Rowland,

Thank you for the quick answer.

The thing is that this Zentyal server is a few years old and has been 
through a few upgrades.
In the begging Zentyal was based Samba3 + OpenLDAP (if I am not 
mistaken), and eventually changed to Samba4.
The new users and groups have IDs in the '3000000' range, but old users 
and groups have IDs in the '2000' range.
So I think the low IDs are remnants of the old version which where kept 
even though the system was upgraded. And I think that the double gID for 
users is also related to remnants of the old system and the successive 
upgrades.

1)

You mentioned that uidNumber and gidNumber attributes with very low 
numbers are not recommended.
Is there anything I can do about that at this point in time?

2)

I looked at the bug you sent and and the behaviour is similar.

If I run:

# net cache flush"

all seems "correct" (gID 2513 is shown),

# wbinfo --group-info="domain users"
ARDITI\domain users:x:2513:

but if do any query with the gID 1901, such as:

# wbinfo --gid-info 1901
ARDITI\domain users:x:1901:

then I get the following:

# wbinfo --group-info="domain users"
ARDITI\domain users:x:1901:

I can I fix this "permanently", i.e get rid of second gID (1901)?

Thanks

More information about the samba mailing list