[Samba] debian 10: errors with my server samba-ad

[Rowland Penny]

On Mon, 13 May 2019 13:51:40 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> net groupmap list ntgroup='Domain Users'
> Domain Users (S-1-5-21-2934682428-5134513513-42425326-513) ->
> NTDOM\domain users But i did assign a GID myself. ( GID 10000 )
> 
> I noticed this. 
> 
> wbinfo --group-info='Domain Users'
> NTDOM\domain users:x:10000:
> 
> wbinfo --gid-info 10000
> NTDOM\domain users:x:10000:
> 
> wbinfo --gid-info 100
> NTDOM\domain users:x:100:
> 
> So i have 2 GID for Domain users. 

If you open idmap.ldb, you will find this:

dn: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-513 
cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-513 
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-513 
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-513 

That is where the '100' comes from.

> 
> wbinfo --group-info='users'
> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for group users
> 
> I was expecting this : 
> wbinfo --group-info='BUILTIN\users'
> BUILTIN\users:x:3000009: 

Why ? 'users' is a Unix group.

> 
> In my opinion.. 
> 
> Linux Users = BUILTIN\Users 
> Domain users is member of BUILTIN\Users 
> And user =! "domain users" 

As I said 'users' is a Unix group and 'Users' is a Windows group.
Unix != Windows, so, in my opinion, you cannot equate a Unix group with
a Windows group.

> 
> So why are we mapping linux users into domain users. 
> That looks wrong to me. 

You aren't mapping Linux users to Domain Users, you are making Unix
domain users be members of the group 'Domain Users'
This lead to the 'idmap config' changes that now allow you to change a
Unix users primary group, the only problem is that it does not work if
you log into a Unix computer, it only works when connecting to a Samba
share.

Rowland