[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC

Rowland penny rpenny at samba.org
Wed Jun 5 08:06:52 UTC 2019


On 05/06/2019 08:32, Łukasz Michalski via samba wrote:
> Hi List,
>
> I am trying to setup samba PDC and samba file server for a small 
> organization.
No you are not, you are setting up a Samba AD DC, a PDC is something 
entirely different.
> I followed guidelines on samba wiki and Arch Linux wiki.
>
> I have two servers (10.21.0.2 PDC and 10.21.0.1 (file server) both 
> with samba 4.10.6 installed.
> I joined 10.21.0.1 as domain member and decided to use idmap_ad 
> backend and store uid and gid numbers on PDC.
The operative word there is 'store'
>
> Now I have problems with id mapping configuration:
>
> wbinfo -u works.
> wbinfo -g works.
> getent group does not list domain users and groups.
>
> I logged into PDC and checked gidNumber for "Domain Users":
>
> [root at site-ad ~]# wbinfo --name-to-sid "Domain Users"
> S-1-5-21-4155694911-3186826046-1573605777-513 SID_DOM_GROUP (2)
Nope, that is the 'SID-RID'
>
> [root at site-ad ~]# wbinfo --sid-to-gid 
> S-1-5-21-4155694911-3186826046-1573605777-513
> 985 (same as 'users' unix gid on host)
where did the '985' come from ?
>
>
> And the same check for "Domain Admins":
> [root at site-ad ~]# wbinfo --sid-to-gid 
> S-1-5-21-4155694911-3186826046-1573605777-512
> 3000004
Oh good, 'Domain Admins' doesn't have a gidNumber attribute.
>
> My file server configuration:
> ----------------------
> [global]
> security = ADS
> workgroup = EXAMPLE
> realm = SITE.EXAMPLE.PL
>
> bind interfaces only = yes
> interfaces = lo eno2 vboxnet0
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> winbind enum users = yes
> winbind enum groups = yes
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the EXAMPLE domain
> idmap config EXAMPLE:backend = ad
> idmap config EXAMPLE:schema_mode = rfc2307
> idmap config EXAMPLE:range = 10000-999999
> idmap config EXAMPLE:unix_nss_info = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/%U
> ---------------------------
>
Absolutely nothing wrong with that smb.conf ;-)
> Wiki says that an uid and gid Number must be in the EXAMPLE:range, 
> which I set to 10000-999999
> I checked all groups and besides "Domain Members" all of them have the 
> gidNumber > 3000000

Where did you check ?

In 'idmap.ldb' or 'sam.ldb' ?

>
> Should I use ldbedit and change all mappings to fit inside my 
> EXAMPLE:range?
It all depends on what and where you are planning to do your changes.
>
> It looks like default gidNumbers after a domain provisioning are "by 
> design" set to be
> outside idmap domain range. Why?

I more and more think you are looking inside 'idmap.ldb' and mistaking 
'xidNumber' attributes for 'uidNumber' & 'gidNumber' attributes.

Rowland


>
> Thanks in advance for explanations,
> Łukasz
>




More information about the samba mailing list