[Samba] Sysvol permission issue - how to repair permanently?

Rowland penny rpenny at samba.org
Mon Apr 5 12:12:26 UTC 2021

On 05/04/2021 12:55, Stefan Bellon via samba wrote:
> On Sun, 04 Apr, Stefan Bellon via samba wrote:
>> Then I'll try it tomorrow or the day after. Thanks a lot so far!
> Ok, sadly, removing "idmap_ldb:use rfc2307 = yes" did not help.
> I dug a bit deeper ... let's try whether I understood the problem right:
> root at dc1:~# ldbsearch -H /var/lib/samba/private/idmap.ldb '(xidNumber=100)'
> # record 1
> dn: CN=S-1-5-21-37643267-2172530850-1818422998-513
> cn: S-1-5-21-37643267-2172530850-1818422998-513
> objectClass: sidMap
> objectSid: S-1-5-21-37643267-2172530850-1818422998-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-37643267-2172530850-1818422998-513

That is correct.

> root at dc1:~# wbinfo --sid-to-name=S-1-5-21-37643267-2172530850-1818422998-513
> DS\Domain Users 2

Again that is correct.

> root at dc1:~# grep :100: /etc/group
> users:x:100:

Again that is correct.

> root at dc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=developers)' cn gidNumber
> # record 1
> dn: CN=developers,CN=Users,DC=xxx
> cn: developers
> gidNumber: 100

And that is one of your problems, you have two groups in AD that map to 
the Unix ID '100'.

> So, SID S-1-5-21-37643267-2172530850-1818422998-513 is "Domain Users"
> and has the xidNumber 100 attribute attached (via idmap.ldb).
> On the other hand, AD group "developers" also maps to gidNumber 100
> (via sam.ldb).
> And this is the conflict here?

Oh yes, that is a conflict if there ever was one.

> If that is a correct understanding ... wouldn't one of the following
> two ways help to remove the conflict?
> 1) I could remove the attribute gidNumber from our AD group "developers"
> (via sam.ldb). the individual users would still have the gidNumber
> attribute set to 100 and nslcd would assign those users gid 100 and
> group "users" on the Linux side while in AD the group "developers"
> would not be connected to GID 100 any more?

You would also have to run 'net cache flush', but that would get 
everything back to where it should be, but anything belonging to 
developers would probably belong to 'users' after the change.

> 2) Or, a second way to break the conflict: Change (via idmap.ldb) the
> xidNumber of "Domain Users" from 100 to something like 3000100?

That would fix it on the AD side, but developers would be mapped to the 
Unix group 'users', I would prefer option 1


More information about the samba mailing list