[Samba] wbinfo -r reports strange gids on AD member

Christian chanlists at googlemail.com
Tue Jan 21 20:02:37 UTC 2020 

Hi Rowland and Louis,

>
>> Dear list,
>>
>> on a unix domain member, I get
>>
>> root at member:~# wbinfo -r some_user
>> 10513
>> 10020
>> 10018
>> 10517
>> 10206
>> 10220
>> 3001
>>
>> However, GID 3001 does not exist in our AD...
>
> Well, no it wouldn't, it is being mapped with this:
>
> idmap config * : range = 3000 - 7999
>
> It is one of the Well Known Sids
>
>>   On the other hand, GID
>> 10559 (corresponding to some_group) appears to be missing from the list.
>> Also, getent group some_group reports some_user as member. On other
>> domain members, no issue, just two of them. This is debian buster with
>> Louis's 4.10.11 packages.
> This could be just down to the users not having logged in.
>> The winbindd related parts of smb.conf are:
> Please don't post what you think is relevant, post the entire smb.conf
> ;-)
>>
>>          winbind expand groups = 2
>>          security = ADS
>>          winbind enum users = yes
>>          winbind enum groups = yes
>>          winbind use default domain = yes
>>          winbind nss info = ad
> The 'winbind nss info' isn't used any more and it doesn't have a value
> 'ad'.
OK. Removed that.
>>          winbind refresh tickets = yes
>>          kerberos method = system keytab
>>          idmap config * : backend = tdb
>>          idmap config * : range = 3000 - 7999
>>          idmap config XXX:backend = ad
>>          idmap config XXX:schema_mode = rfc2307
>>          idmap config XXX:range = 10000 - 999999
>>          idmap config XXX:unix_nss_info = yes
>>          idmap config XXX:unix_primary_group = yes
>>          username map = /etc/samba/user.map

wbinfo -G 3001
S-1-5-32-545

That is "users", confirming the theory. Why would it do that?

> What is in the 'user.map' ?

!root = XXX\Administrator

Entire smb.conf (except for share definitions):

[global]
        bind interfaces only = Yes
        interfaces = lo eth0
        realm = XXX.XXXX
        workgroup = XXX
        netbios aliases = printserv
        hosts allow = XXX/24
        wins server = XXX.XXX.XXX.XXX
        winbind expand groups = 2
        security = ADS
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind refresh tickets = yes
        kerberos method = system keytab
        idmap config * : backend = tdb
        idmap config * : range = 3000 - 7999
        idmap config XXX:backend = ad
        idmap config XXX:schema_mode = rfc2307
        idmap config XXX:range = 10000 - 999999
        idmap config XXX:unix_nss_info = yes
        idmap config XXX:unix_primary_group = yes
        map acl inherit = yes
        store dos attributes = yes
        vfs objects = acl_xattr
        username map = /etc/samba/user.map
        load printers = yes
        printing = cups
        printcap name = cups

Thanks,

Christian

More information about the samba mailing list