[Samba] Odd default group behaviour.

Jeff Sadowski jeff.sadowski at gmail.com
Tue Mar 13 18:13:32 UTC 2018

My smb.conf file looks like so

   security = ads
   realm = MIND.UNM.EDU
   workgroup = MIND
   idmap config * : backend = tdb
   idmap config * : range = 2000-7999
   idmap config MIND:backend = ad
   idmap config MIND:schema_mode = rfc2307
   idmap config MIND:range = 8000-9999999
   # added because 4.6+ no longer understands winbind nss info = rfc2307
   idmap config MIND:unix_nss_info = yes
   # left because 4.5- don’t understand idmap config MIND:unix_nss_info = yes
   winbind nss info = rfc2307
   winbind use default domain = yes
   # so that the users show up in getent
   winbind enum users = yes
   # so that the groups show up in getent
   winbind enum groups = yes
   restrict anonymous = 2
   #added the following 2 for the Badlock updates that change the defaults
   #to no longer work with my domain controllers
   ldap server require strong auth = no
   client ldap sasl wrapping = plain
   kerberos method = secrets and keytab

ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL -b
dc=mind,dc=unm,dc=edu -o ldif-wrap=no "(sAMAccountName=dstephenson)"
|grep -ie gidnumber -e uidnumber


uidNumber: 11772
gidNumber: 9013
as it should

getent group amayerg


as it should


id dstephenson


uid=11772(dstephenson) gid=8513(domain users) groups=8513(domain
the gid should be the one from AD 9013


getent passwd dstephenson


again 8513 should be 9013
In windows ADUC it shows on the UNIX Attributes Tab it shows as the
correct group amayerg for the primary group.

I created the following script in the past to clear out cache

<== start of script
if [[ $EUID -ne 0 ]]; then
 echo "This script must be run as root"
 echo "If prompted type your sudo password"
 sudo $0

#if service
function is()
 if [ "$(service $1 status 2>&1|grep -e "unrecognized service" -e
"could not be found")" = "" ];then
  if [ "$2" = "stop" ];then
   echo "Stopping $1"
  if [ "$2" = "start" ];then
   echo "Starting $1"
  service $1 $2

is winbind stop
is smb stop
is smbd stop
is nmb stop
is nmbd stop

net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/cache/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1

is nmbd start
is nmb start
is smbd start
is smb start
is winbind start
<== end of script

I ran it to try and clear out any caching I could
but I still get the same results.

What could be causing it to have a different gid than what is provided by AD?

More information about the samba mailing list