[Samba] wbinfo -r reports strange gids on AD member
Christian
chanlists at googlemail.com
Tue Jan 21 20:02:37 UTC 2020
Hi Rowland and Louis,
>
>> Dear list,
>>
>> on a unix domain member, I get
>>
>> root at member:~# wbinfo -r some_user
>> 10513
>> 10020
>> 10018
>> 10517
>> 10206
>> 10220
>> 3001
>>
>> However, GID 3001 does not exist in our AD...
>
> Well, no it wouldn't, it is being mapped with this:
>
> idmap config * : range = 3000 - 7999
>
> It is one of the Well Known Sids
>
>> On the other hand, GID
>> 10559 (corresponding to some_group) appears to be missing from the list.
>> Also, getent group some_group reports some_user as member. On other
>> domain members, no issue, just two of them. This is debian buster with
>> Louis's 4.10.11 packages.
> This could be just down to the users not having logged in.
>> The winbindd related parts of smb.conf are:
> Please don't post what you think is relevant, post the entire smb.conf
> ;-)
>>
>> winbind expand groups = 2
>> security = ADS
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind nss info = ad
> The 'winbind nss info' isn't used any more and it doesn't have a value
> 'ad'.
OK. Removed that.
>> winbind refresh tickets = yes
>> kerberos method = system keytab
>> idmap config * : backend = tdb
>> idmap config * : range = 3000 - 7999
>> idmap config XXX:backend = ad
>> idmap config XXX:schema_mode = rfc2307
>> idmap config XXX:range = 10000 - 999999
>> idmap config XXX:unix_nss_info = yes
>> idmap config XXX:unix_primary_group = yes
>> username map = /etc/samba/user.map
wbinfo -G 3001
S-1-5-32-545
That is "users", confirming the theory. Why would it do that?
> What is in the 'user.map' ?
!root = XXX\Administrator
Entire smb.conf (except for share definitions):
[global]
bind interfaces only = Yes
interfaces = lo eth0
realm = XXX.XXXX
workgroup = XXX
netbios aliases = printserv
hosts allow = XXX/24
wins server = XXX.XXX.XXX.XXX
winbind expand groups = 2
security = ADS
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
kerberos method = system keytab
idmap config * : backend = tdb
idmap config * : range = 3000 - 7999
idmap config XXX:backend = ad
idmap config XXX:schema_mode = rfc2307
idmap config XXX:range = 10000 - 999999
idmap config XXX:unix_nss_info = yes
idmap config XXX:unix_primary_group = yes
map acl inherit = yes
store dos attributes = yes
vfs objects = acl_xattr
username map = /etc/samba/user.map
load printers = yes
printing = cups
printcap name = cups
Thanks,
Christian
More information about the samba
mailing list