[Samba] Odd default group behaviour.
Jeff Sadowski
jeff.sadowski at gmail.com
Tue Mar 13 18:13:32 UTC 2018
My smb.conf file looks like so
[global]
security = ads
realm = MIND.UNM.EDU
workgroup = MIND
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
# added because 4.6+ no longer understands winbind nss info = rfc2307
idmap config MIND:unix_nss_info = yes
# left because 4.5- don’t understand idmap config MIND:unix_nss_info = yes
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
kerberos method = secrets and keytab
ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL -b
dc=mind,dc=unm,dc=edu -o ldif-wrap=no "(sAMAccountName=dstephenson)"
|grep -ie gidnumber -e uidnumber
returns
uidNumber: 11772
gidNumber: 9013
as it should
getent group amayerg
returns
amayerg:x:9013:
as it should
but
id dstephenson
returns
uid=11772(dstephenson) gid=8513(domain users) groups=8513(domain
users),9013(amayerg),9033(sfeldsteing),9201(sharp_07295),9022(vcalhoung),8000(staff),9921(cnssage_secure),8004(research)
the gid should be the one from AD 9013
and
getent passwd dstephenson
returns
dstephenson:*:11772:8513::/na/homes/dstephenson:/bin/bash
again 8513 should be 9013
In windows ADUC it shows on the UNIX Attributes Tab it shows as the
correct group amayerg for the primary group.
I created the following script in the past to clear out cache
<== start of script
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
echo "If prompted type your sudo password"
sudo $0
exit
fi
#if service
function is()
{
if [ "$(service $1 status 2>&1|grep -e "unrecognized service" -e
"could not be found")" = "" ];then
if [ "$2" = "stop" ];then
echo "Stopping $1"
fi
if [ "$2" = "start" ];then
echo "Starting $1"
fi
service $1 $2
fi
}
is winbind stop
is smb stop
is smbd stop
is nmb stop
is nmbd stop
net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/cache/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1
is nmbd start
is nmb start
is smbd start
is smb start
is winbind start
<== end of script
I ran it to try and clear out any caching I could
but I still get the same results.
What could be causing it to have a different gid than what is provided by AD?
More information about the samba
mailing list