[Samba] Odd default group behaviour.

Jeff Sadowski jeff.sadowski at gmail.com
Tue Mar 13 18:13:32 UTC 2018 

My smb.conf file looks like so

[global]
   security = ads
   realm = MIND.UNM.EDU
   workgroup = MIND
   idmap config * : backend = tdb
   idmap config * : range = 2000-7999
   idmap config MIND:backend = ad
   idmap config MIND:schema_mode = rfc2307
   idmap config MIND:range = 8000-9999999
   # added because 4.6+ no longer understands winbind nss info = rfc2307
   idmap config MIND:unix_nss_info = yes
   # left because 4.5- don’t understand idmap config MIND:unix_nss_info = yes
   winbind nss info = rfc2307
   winbind use default domain = yes
   # so that the users show up in getent
   winbind enum users = yes
   # so that the groups show up in getent
   winbind enum groups = yes
   restrict anonymous = 2
   #added the following 2 for the Badlock updates that change the defaults
   #to no longer work with my domain controllers
   ldap server require strong auth = no
   client ldap sasl wrapping = plain
   kerberos method = secrets and keytab

ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL -b
dc=mind,dc=unm,dc=edu -o ldif-wrap=no "(sAMAccountName=dstephenson)"
|grep -ie gidnumber -e uidnumber

returns

uidNumber: 11772
gidNumber: 9013
as it should

getent group amayerg

returns

amayerg:x:9013:
as it should

but

id dstephenson

returns

uid=11772(dstephenson) gid=8513(domain users) groups=8513(domain
users),9013(amayerg),9033(sfeldsteing),9201(sharp_07295),9022(vcalhoung),8000(staff),9921(cnssage_secure),8004(research)
the gid should be the one from AD 9013

and

getent passwd dstephenson

returns

dstephenson:*:11772:8513::/na/homes/dstephenson:/bin/bash
again 8513 should be 9013
In windows ADUC it shows on the UNIX Attributes Tab it shows as the
correct group amayerg for the primary group.

I created the following script in the past to clear out cache

<== start of script
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
 echo "This script must be run as root"
 echo "If prompted type your sudo password"
 sudo $0
 exit
fi

#if service
function is()
{
 if [ "$(service $1 status 2>&1|grep -e "unrecognized service" -e
"could not be found")" = "" ];then
  if [ "$2" = "stop" ];then
   echo "Stopping $1"
  fi
  if [ "$2" = "start" ];then
   echo "Starting $1"
  fi
  service $1 $2
 fi
}

is winbind stop
is smb stop
is smbd stop
is nmb stop
is nmbd stop

net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/cache/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1

is nmbd start
is nmb start
is smbd start
is smb start
is winbind start
<== end of script

I ran it to try and clear out any caching I could
but I still get the same results.

What could be causing it to have a different gid than what is provided by AD?

More information about the samba mailing list