[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC

Łukasz Michalski lm at zork.pl
Wed Jun 5 09:04:36 UTC 2019 

On 6/5/19 10:06 AM, Rowland penny via samba wrote:
>>
>> Now I have problems with id mapping configuration:
>>
>> wbinfo -u works.
>> wbinfo -g works.
>> getent group does not list domain users and groups.
>>
>> I logged into PDC and checked gidNumber for "Domain Users":
>>
>> [root at site-ad ~]# wbinfo --name-to-sid "Domain Users"
>> S-1-5-21-4155694911-3186826046-1573605777-513 SID_DOM_GROUP (2)
> Nope, that is the 'SID-RID'
>>
>> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-513
>> 985 (same as 'users' unix gid on host)
> where did the '985' come from ?

I think from there:

[root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-4155694911-3186826046-1573605777-513
# record 1
dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513
cn: S-1-5-21-4155694911-3186826046-1573605777-513
objectClass: sidMap
objectSid: S-1-5-21-4155694911-3186826046-1573605777-513
type: ID_TYPE_GID
xidNumber: 985
distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513

[root at site-ad ~]# ldbsearch -H /var/lib/samba/private/sam.ldb objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 |grep gidNumber
(returns nothing)

>>
>> And the same check for "Domain Admins":
>> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-512
>> 3000004
> Oh good, 'Domain Admins' doesn't have a gidNumber attribute.
>>
>>
> Absolutely nothing wrong with that smb.conf ;-)
>> Wiki says that an uid and gid Number must be in the EXAMPLE:range, which I set to 10000-999999
>> I checked all groups and besides "Domain Members" all of them have the gidNumber > 3000000
> 
> Where did you check ?
> 
> In 'idmap.ldb' or 'sam.ldb' ?
> 
> 
> I more and more think you are looking inside 'idmap.ldb' and mistaking 'xidNumber' attributes for 'uidNumber' & 'gidNumber' attributes.
> 

Yes, that is the case.

I added gidNumber: 10000 to sam.ldb and now I see "Domain Users" group on member:

[root at universe ~]# getent group |grep EXAMPLE
EXAMPLE\domain users:x:10000:

Should I leave xidNumber set to 985 in idmap.ldb?

Should I add gidNumber to all groups listed by wbinfo -g?

Many thanks for your help,
Łukasz

More information about the samba mailing list