[Samba] Domain Users group with multiple gid

Clemente Aguiar ca-mlsamba at arditi.pt
Sun Apr 8 20:20:14 UTC 2018 

Às 15:45 de 08-04-2018, Rowland Penny via samba escreveu:
> On Sun, 8 Apr 2018 14:44:30 +0100
> Clemente Aguiar <ca-mlsamba at arditi.pt> wrote:
>
>> Às 13:51 de 08-04-2018, Rowland Penny escreveu:
>>> On Sun, 8 Apr 2018 13:22:28 +0100
>>> Clemente Aguiar via samba <samba at lists.samba.org> wrote:
>>>
>>>> The samba was created by Zentyal system (http://www.zentyal.org).
>>>>
>>>> Here is smb.conf:
>>>>
>>>> [global]
>>>>        workgroup = arditi
>>>>        realm = ARDITI.PT
>>>>        netbios name = hera
>>>>        server string = Zentyal Server
>>>>        server role = dc
>>>>        server role check:inhibit = yes
>>>>        server services = -dns
>>>>        server signing = auto
>>>>        dsdb:schema update allowed = yes
>>>>        ldap server require strong auth = no
>>>>        drs:max object sync = 1200
>>>>
>>>>        idmap_ldb:use rfc2307 = yes
>>>>
>>>>        winbind enum users = yes
>>>>        winbind enum groups = yes
>>>>        template shell = /bin/bash
>>>>        template homedir = /home/%U
>>>>
>>>>        interfaces = lo,eth0
>>>>        bind interfaces only = yes
>>>>
>>>>        map to guest = Bad User
>>>>
>>>>        log level = 3
>>>>        log file = /var/log/samba/samba.log
>>>>        max log size = 100000
>>>>
>>>>        include = /etc/samba/shares.conf
>>>>
>>>> [netlogon]
>>>>        path = /var/lib/samba/sysvol/arditi.pt/scripts
>>>>        browspid_to_procid: messaging_dgm_get_unique failed: No such
>>>> file or directoryeable = no read only = yes
>>>>
>>>> [sysvol]
>>>>        path = /var/lib/samba/sysvol
>>>>        read only = no
>>> It is running as an AD DC and the IDs you showed are not in the
>>> '3000000' range, so this means one of two things, either idmap.ldb
>>> has been messed with (not recommended) or the users and groups have
>>> been given uidNumber and gidNumber attributes (with very low
>>> numbers, again not recommended).
>>> I think it is more likely to be the later and if so, there is a bug
>>> for this: https://bugzilla.samba.org/show_bug.cgi?id=13054#
>>>
>>> Rowland
>> Rowland,
>>
>> Thank you for the quick answer.
>>
>> The thing is that this Zentyal server is a few years old and has been
>> through a few upgrades.
>> In the begging Zentyal was based Samba3 + OpenLDAP (if I am not
>> mistaken), and eventually changed to Samba4.
>> The new users and groups have IDs in the '3000000' range, but old
>> users and groups have IDs in the '2000' range.
>> So I think the low IDs are remnants of the old version which where
>> kept even though the system was upgraded. And I think that the double
>> gID for users is also related to remnants of the old system and the
>> successive upgrades.
>>
>> 1)
>>
>> You mentioned that uidNumber and gidNumber attributes with very low
>> numbers are not recommended.
>> Is there anything I can do about that at this point in time?
> It used to be thought that using such low numbers wasn't a problem, but
> time has shown otherwise ;-)
>
> The problem is that Linux uses numbers below 1000 for system users &
> groups and then starts local users & groups at 1000, there is then the
> problem of the BUILTIN users & groups and users & groups from outside
> the domain. You could add them after the range for the domain, but if
> the range chosen is too low, it could interfere with the domain range if
> this grows too large. So, the advice is to allow a range above 3000
> but below 10000 for the BUILTIN etc domain and then start the AD
> domain users & groups at 10000 (which is where Windows started them)
>
> Of course this only really comes into play if you have any Unix domain
> members. If nobody actually logs into the DC and you only store things
> in shares and access them from windows, you might as well stick to the
> xidNumbers in idmap.ldb (i.e. the 3000000 numbers)
>
> Whether you can do anything about this now, sort of depends on
> how many users you have and if you really want to fix it ;-)
>
> If you do want to fix it and only use windows (the zentyal DC is the
> only Unix machine) then just remove the uidNumber & gidNumber
> attributes, but you will need to fix file ownership.
>
Rowland,

I don't have that many users and I really want to fix it, and I don't 
have a problem with fixing file ownership.

You say "just remove the uidNumber & gidNumber attributes", does this 
mean that new IDs will be assigned automatically?

And most important, can you tell me exactly how to do this (remove the 
uidNumber & gidNumber attributes), i.e what are the commands, I would 
really appreciate.
Like I said in the initial post, I have little knowledge about Samba4.

Clemente

More information about the samba mailing list