[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC

Rowland penny rpenny at samba.org
Wed Jun 5 09:26:57 UTC 2019


On 05/06/2019 10:04, Łukasz Michalski via samba wrote:
>
>>>
>>> [root at site-ad ~]# wbinfo --sid-to-gid 
>>> S-1-5-21-4155694911-3186826046-1573605777-513
>>> 985 (same as 'users' unix gid on host)
>> where did the '985' come from ?
>
> I think from there:
>
> [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb 
> objectsid=S-1-5-21-4155694911-3186826046-1573605777-513
> # record 1
> dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513
> cn: S-1-5-21-4155694911-3186826046-1573605777-513
> objectClass: sidMap
> objectSid: S-1-5-21-4155694911-3186826046-1573605777-513
> type: ID_TYPE_GID
> xidNumber: 985
> distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513

An 'xidNumber' is NOT a 'uidNumber' or 'gidNumber'

Who changed the 'xidNumber' value from a number in the '3000000' range 
to '985' and why ?

>
> [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/sam.ldb 
> objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 |grep gidNumber
> (returns nothing)
Then it does not have a 'gidNumber' attribute and you will not get any 
AD users on the Unix domain member.
>
>
> Yes, that is the case.
Well, stop, use 'sam.ldb'
>
>
> I added gidNumber: 10000 to sam.ldb and now I see "Domain Users" group 
> on member:
>
> [root at universe ~]# getent group |grep EXAMPLE
> EXAMPLE\domain users:x:10000:
Just need to add 'uidNumber' attributes to your users now.
>
> Should I leave xidNumber set to 985 in idmap.ldb?

You can ignore it, Domain Users  will now be using '10000' , even on the DC.

>
> Should I add gidNumber to all groups listed by wbinfo -g?
No, just as and when you find one that you need to use on Unix, most are 
just Windows groups.

Rowland





More information about the samba mailing list