[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
Rowland penny
rpenny at samba.org
Wed Jun 5 09:26:57 UTC 2019
On 05/06/2019 10:04, Łukasz Michalski via samba wrote:
>
>>>
>>> [root at site-ad ~]# wbinfo --sid-to-gid
>>> S-1-5-21-4155694911-3186826046-1573605777-513
>>> 985 (same as 'users' unix gid on host)
>> where did the '985' come from ?
>
> I think from there:
>
> [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb
> objectsid=S-1-5-21-4155694911-3186826046-1573605777-513
> # record 1
> dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513
> cn: S-1-5-21-4155694911-3186826046-1573605777-513
> objectClass: sidMap
> objectSid: S-1-5-21-4155694911-3186826046-1573605777-513
> type: ID_TYPE_GID
> xidNumber: 985
> distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513
An 'xidNumber' is NOT a 'uidNumber' or 'gidNumber'
Who changed the 'xidNumber' value from a number in the '3000000' range
to '985' and why ?
>
> [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
> objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 |grep gidNumber
> (returns nothing)
Then it does not have a 'gidNumber' attribute and you will not get any
AD users on the Unix domain member.
>
>
> Yes, that is the case.
Well, stop, use 'sam.ldb'
>
>
> I added gidNumber: 10000 to sam.ldb and now I see "Domain Users" group
> on member:
>
> [root at universe ~]# getent group |grep EXAMPLE
> EXAMPLE\domain users:x:10000:
Just need to add 'uidNumber' attributes to your users now.
>
> Should I leave xidNumber set to 985 in idmap.ldb?
You can ignore it, Domain Users will now be using '10000' , even on the DC.
>
> Should I add gidNumber to all groups listed by wbinfo -g?
No, just as and when you find one that you need to use on Unix, most are
just Windows groups.
Rowland
More information about the samba
mailing list