[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC

Rowland penny rpenny at samba.org
Wed Jun 5 09:55:33 UTC 2019


On 05/06/2019 10:44, Łukasz Michalski via samba wrote:
> On 6/5/19 11:26 AM, Rowland penny via samba wrote:
>> On 05/06/2019 10:04, Łukasz Michalski via samba wrote:
>>>
>>>>>
>>>>> [root at site-ad ~]# wbinfo --sid-to-gid 
>>>>> S-1-5-21-4155694911-3186826046-1573605777-513
>>>>> 985 (same as 'users' unix gid on host)
>>>> where did the '985' come from ?
>>>
>>> I think from there:
>>>
>>> [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb 
>>> objectsid=S-1-5-21-4155694911-3186826046-1573605777-513
>>> # record 1
>>> dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513
>>> cn: S-1-5-21-4155694911-3186826046-1573605777-513
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-4155694911-3186826046-1573605777-513
>>> type: ID_TYPE_GID
>>> xidNumber: 985
>>> distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513
>>
>> An 'xidNumber' is NOT a 'uidNumber' or 'gidNumber'
>>
>> Who changed the 'xidNumber' value from a number in the '3000000' 
>> range to '985' and why ?
>>
>
> Dunno, I just run:
>
> samba-tool domain provision --use-rfc2307 --interactive
>
> I did not touch ldap databases by hand afterwards.
>
> Regards,
> Łukasz
>
>
>
Someone did, because the xidNumber for Domain Users is set to '100' by 
default.

If you didn't change it, then change the root and Administrator 
passwords now, someone has access.

Rowland





More information about the samba mailing list