[Samba] Domain admins group missing from domain member

Carlos Jesus camjesus2 at gmail.com
Sun Dec 13 12:28:44 UTC 2020


Sorry, my bad.
Those lines are in fact in smb.conf of both DC's and DM's. I removed them
after test #3 to see if winbind was properly detecting things and forgot to
add them back.

So, with those lines back in (and after a smbcontrol all reload-config),
on a DM I get:
getent group|grep "domain users" gives domain users:x:10001: as expected
getent group|grep "domain admins" comes out blank
On a DC
getent group|grep "domain users" gives SAMDOM\domain users:x:10001:
getent group|grep "domain admins" gives SAMDOM\domain admins:x:3000061:

as for the gidNumber vs xidnumber, there are multiple discussions on the
mailing list about this and even the wiki advices against it (
https://wiki.samba.org/index.php/Sysvolreset for example) so I didn't use
the gidNumber for Domain Admins. Could this be the reason?

Best regards,

Carlos


Rowland penny via samba <samba at lists.samba.org> escreveu no dia domingo,
13/12/2020 à(s) 10:02:

> On 13/12/2020 02:09, Carlos Jesus via samba wrote:
> > Hi all,
> > I'm having a strange issue with one of my samba domains that I hope you
> can
> > help with.
> > Simply put, getent group|grep "domain admins" returns (as expected)
> domain
> > admins:x:3000061:on both my DC's , but comes out empty on both linux
> domain
> > members.
>
> Not sure why that worked, it shouldn't because you don't have 'winbind
> enum groups = yes' in your DC's smb.conf
>
> Also you are using the 'ad' backend on the Unix domain member and
> '3000061' isn't a gidNumber, it is an xidNumber and only used on DC's.
> This actually is a good thing, because if you do give Domain Admins a
> gidNumber, it just becomes a group and cannot own files and folders in
> sysvol.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list