[Samba] wbinfo -r reports strange gids on AD member

Rowland penny rpenny at samba.org
Tue Jan 21 20:23:00 UTC 2020 

On 21/01/2020 20:02, Christian via samba wrote:
> Hi Rowland and Louis,
>
>>> Dear list,
>>>
>>> on a unix domain member, I get
>>>
>>> root at member:~# wbinfo -r some_user
>>> 10513
>>> 10020
>>> 10018
>>> 10517
>>> 10206
>>> 10220
>>> 3001
>>>
>>> However, GID 3001 does not exist in our AD...
>> Well, no it wouldn't, it is being mapped with this:
>>
>> idmap config * : range = 3000 - 7999
>>
>> It is one of the Well Known Sids
>>
>>>    On the other hand, GID
>>> 10559 (corresponding to some_group) appears to be missing from the list.
>>> Also, getent group some_group reports some_user as member. On other
>>> domain members, no issue, just two of them. This is debian buster with
>>> Louis's 4.10.11 packages.
>> This could be just down to the users not having logged in.
>>> The winbindd related parts of smb.conf are:
>> Please don't post what you think is relevant, post the entire smb.conf
>> ;-)
>>>           winbind expand groups = 2
>>>           security = ADS
>>>           winbind enum users = yes
>>>           winbind enum groups = yes
>>>           winbind use default domain = yes
>>>           winbind nss info = ad
>> The 'winbind nss info' isn't used any more and it doesn't have a value
>> 'ad'.
> OK. Removed that.
>>>           winbind refresh tickets = yes
>>>           kerberos method = system keytab
>>>           idmap config * : backend = tdb
>>>           idmap config * : range = 3000 - 7999
>>>           idmap config XXX:backend = ad
>>>           idmap config XXX:schema_mode = rfc2307
>>>           idmap config XXX:range = 10000 - 999999
>>>           idmap config XXX:unix_nss_info = yes
>>>           idmap config XXX:unix_primary_group = yes
>>>           username map = /etc/samba/user.map
> wbinfo -G 3001
> S-1-5-32-545
>
> That is "users", confirming the theory. Why would it do that?

Because it is supposed to ;-)

The '*' domain is meant for the Well Know Sids and anything outside the 
main domain, so anything that cannot be mapped gets an ID in the range 
set in smb.conf (in your case 3000 - 7999)

>
>> What is in the 'user.map' ?
> !root = XXX\Administrator
Good.
> Entire smb.conf (except for share definitions):
>
> [global]
>          bind interfaces only = Yes
>          interfaces = lo eth0
>          realm = XXX.XXXX
>          workgroup = XXX
>          netbios aliases = printserv
>          hosts allow = XXX/24
Is the 'XXX' above the same 'XXX' as in the workgroup line ?
>          wins server = XXX.XXX.XXX.XXX
Sorry, but you do not use wins with AD.
>          winbind expand groups = 2
>          security = ADS
>          winbind enum users = yes
>          winbind enum groups = yes
You only need the 'winbind enum' lines to get 'getent passwd' & 'getent 
group' to display all users and groups, it also can slow things down, I 
would remove them.

Unless you are having problems with folders and files getting the wrong 
ownership, I wouldn't worry about the supposedly strange gids.

Rowland

More information about the samba mailing list