[Samba] Domain admins group missing from domain member

Rowland penny rpenny at samba.org
Sun Dec 13 12:54:48 UTC 2020

On 13/12/2020 12:28, Carlos Jesus wrote:
> Sorry, my bad.
> Those lines are in fact in smb.conf of both DC's and DM's. I removed 
> them after test #3 to see if winbind was properly detecting things and 
> forgot to add them back.
> So, with those lines back in (and after a smbcontrol all reload-config),
> on a DM I get:
> getent group|grep "domain users" gives domain users:x:10001: as expected
> getent group|grep "domain admins" comes out blank
> On a DC
> getent group|grep "domain users" gives SAMDOM\domain users:x:10001:
> getent group|grep "domain admins" gives SAMDOM\domain admins:x:3000061:
All that the 'winbind enum' lines do, is to allow 'getent' to print all 
users & groups. This isn't really a problem in a small domain, but in a 
large domain, it can grind everything to a crawl. However, you don't 
need the the lines because, without the lines, 'getent group groupname' 
with produce the same out as 'getent group | grep groupname'
> as for the gidNumber vs xidnumber, there are multiple discussions on 
> the mailing list about this and even the wiki advices against it 
> (https://wiki.samba.org/index.php/Sysvolreset 
> <https://wiki.samba.org/index.php/Sysvolreset> for example)
I know, I am usually the one advising about it and who do you think 
added the info to the wiki ?
> so I didn't use the gidNumber for Domain Admins.
> Could this be the reason?
Yes, unless a Windows user has a uidNumber, or a Windows group has a 
gidNumber, they are unknown to Unix, I suggest you read this for more 
information about why giving Domain Admins a gidNumber is a bad idea:



More information about the samba mailing list