[Samba] Domain admins group missing from domain member
Carlos Jesus
camjesus2 at gmail.com
Sun Dec 13 13:39:28 UTC 2020
Ok,
Then, this is expected behaviour and all is well.
thanks for your time, and all the help.
Best regards,
Carlos
Rowland penny via samba <samba at lists.samba.org> escreveu no dia domingo,
13/12/2020 à(s) 12:55:
> On 13/12/2020 12:28, Carlos Jesus wrote:
> > Sorry, my bad.
> > Those lines are in fact in smb.conf of both DC's and DM's. I removed
> > them after test #3 to see if winbind was properly detecting things and
> > forgot to add them back.
> >
> > So, with those lines back in (and after a smbcontrol all reload-config),
> > on a DM I get:
> > getent group|grep "domain users" gives domain users:x:10001: as expected
> > getent group|grep "domain admins" comes out blank
> > On a DC
> > getent group|grep "domain users" gives SAMDOM\domain users:x:10001:
> > getent group|grep "domain admins" gives SAMDOM\domain admins:x:3000061:
> All that the 'winbind enum' lines do, is to allow 'getent' to print all
> users & groups. This isn't really a problem in a small domain, but in a
> large domain, it can grind everything to a crawl. However, you don't
> need the the lines because, without the lines, 'getent group groupname'
> with produce the same out as 'getent group | grep groupname'
> >
> > as for the gidNumber vs xidnumber, there are multiple discussions on
> > the mailing list about this and even the wiki advices against it
> > (https://wiki.samba.org/index.php/Sysvolreset
> > <https://wiki.samba.org/index.php/Sysvolreset> for example)
> I know, I am usually the one advising about it and who do you think
> added the info to the wiki ?
> > so I didn't use the gidNumber for Domain Admins.
> Good
> > Could this be the reason?
> >
> Yes, unless a Windows user has a uidNumber, or a Windows group has a
> gidNumber, they are unknown to Unix, I suggest you read this for more
> information about why giving Domain Admins a gidNumber is a bad idea:
>
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list