[Samba] Domain admins group missing from domain member
Rowland penny
rpenny at samba.org
Sun Dec 13 12:54:48 UTC 2020
On 13/12/2020 12:28, Carlos Jesus wrote:
> Sorry, my bad.
> Those lines are in fact in smb.conf of both DC's and DM's. I removed
> them after test #3 to see if winbind was properly detecting things and
> forgot to add them back.
>
> So, with those lines back in (and after a smbcontrol all reload-config),
> on a DM I get:
> getent group|grep "domain users" gives domain users:x:10001: as expected
> getent group|grep "domain admins" comes out blank
> On a DC
> getent group|grep "domain users" gives SAMDOM\domain users:x:10001:
> getent group|grep "domain admins" gives SAMDOM\domain admins:x:3000061:
All that the 'winbind enum' lines do, is to allow 'getent' to print all
users & groups. This isn't really a problem in a small domain, but in a
large domain, it can grind everything to a crawl. However, you don't
need the the lines because, without the lines, 'getent group groupname'
with produce the same out as 'getent group | grep groupname'
>
> as for the gidNumber vs xidnumber, there are multiple discussions on
> the mailing list about this and even the wiki advices against it
> (https://wiki.samba.org/index.php/Sysvolreset
> <https://wiki.samba.org/index.php/Sysvolreset> for example)
I know, I am usually the one advising about it and who do you think
added the info to the wiki ?
> so I didn't use the gidNumber for Domain Admins.
Good
> Could this be the reason?
>
Yes, unless a Windows user has a uidNumber, or a Windows group has a
gidNumber, they are unknown to Unix, I suggest you read this for more
information about why giving Domain Admins a gidNumber is a bad idea:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
Rowland
More information about the samba
mailing list