[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
lm at zork.pl
Wed Jun 5 07:32:00 UTC 2019
I am trying to setup samba PDC and samba file server for a small organization.
I followed guidelines on samba wiki and Arch Linux wiki.
I have two servers (10.21.0.2 PDC and 10.21.0.1 (file server) both with samba 4.10.6 installed.
I joined 10.21.0.1 as domain member and decided to use idmap_ad backend and store uid and gid numbers on PDC.
Now I have problems with id mapping configuration:
wbinfo -u works.
wbinfo -g works.
getent group does not list domain users and groups.
I logged into PDC and checked gidNumber for "Domain Users":
[root at site-ad ~]# wbinfo --name-to-sid "Domain Users"
S-1-5-21-4155694911-3186826046-1573605777-513 SID_DOM_GROUP (2)
[root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-513
985 (same as 'users' unix gid on host)
And the same check for "Domain Admins":
[root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-512
My file server configuration:
security = ADS
workgroup = EXAMPLE
realm = SITE.EXAMPLE.PL
bind interfaces only = yes
interfaces = lo eno2 vboxnet0
log file = /var/log/samba/%m.log
log level = 1
winbind enum users = yes
winbind enum groups = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the EXAMPLE domain
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 10000-999999
idmap config EXAMPLE:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
Wiki says that an uid and gid Number must be in the EXAMPLE:range, which I set to 10000-999999
I checked all groups and besides "Domain Members" all of them have the gidNumber > 3000000
Should I use ldbedit and change all mappings to fit inside my EXAMPLE:range?
It looks like default gidNumbers after a domain provisioning are "by design" set to be
outside idmap domain range. Why?
Thanks in advance for explanations,
More information about the samba