[Samba] wbinfo work getent passwd does

Rowland penny rpenny at samba.org
Wed Apr 21 16:51:10 UTC 2021 

On 21/04/2021 17:30, basti via samba wrote:
>
>
> On 21.04.21 16:41, Rowland penny via samba wrote:
>> On 21/04/2021 15:30, basti via samba wrote:
>>> dc1:~# ldbsearch -H ldap://$(hostname -s) 
>>> '(&(objectCategory=group)(cn=Domain Users))' -P
>>> # record 1
>>> dn: CN=Domain Users,CN=Users,DC=samdom,DC=example,DC=com
>>> objectClass: top
>>> objectClass: group
>>> cn: Domain Users
>>> description: All domain users
>>> instanceType: 4
>>> whenCreated: 20200116093420.0Z
>>> whenChanged: 20200116093420.0Z
>>> uSNCreated: 3622
>>> uSNChanged: 3622
>>> name: Domain Users
>>> objectGUID: a37f673e-fe36-4a84-a748-9de66aba51ff
>>> objectSid: S-1-5-21-1732978637-3172972945-805327809-513
>>> sAMAccountName: Domain Users
>>> sAMAccountType: 268435456
>>> groupType: -2147483646
>>> objectCategory: 
>>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,
>>> DC=com
>>> isCriticalSystemObject: TRUE
>>> memberOf: CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com
>>> distinguishedName: CN=Domain Users,CN=Users,DC=samdom,DC=example,DC=com
>>
>>
>> I quote what I posted earlier:
>>
>> Also, does Domain Users have a gidNumber attribute containing a number
>> inside the same range.
>>
>> Well, the above proves that you haven't, so that is your problem, you 
>> MUST give Domain Users a gidNumber attribute containing a number 
>> inside the 7000-20000 range you set in your smb.conf
>>
>> Rowland
>>
>>
>>
>
> Problem still exist.


Well, it would, see below:

>
> dc1:~# getent passwd iustest
> samdom\iustest:*:7099:100::/home/samdom/iustest:/bin/false
>
>
> root at dc1:~# ldbsearch -H ldap://$(hostname -s) 
> '(&(objectCategory=group)(cn=Domain Users))' -P
> # record 1
> dn: CN=Domain Users,CN=Users,DC=samdom,DC=example,DC=com
> cn: Domain Users
> comscription: All domain users
> instanceType: 4
> whenCreated: 20200116093420.0Z
> uSNCreated: 3622
> name: Domain Users
> objectGUID: a37f673e-fe36-4a84-a748-9com66aba51ff
> objectSid: S-1-5-21-1732978637-3172972945-805327809-513
> sAMAccountName: Domain Users
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,
> DC=com
> isCriticalSystemObject: TRUE
> objectClass: top
> objectClass: posixGroup


You do not need and should not have the posixGroup objectclass

> objectClass: group
> msSFU30NisDomain: samdom
> gidNumber: 30000


No, '30000' is larger than the ''20000' you have in your smb.conf, so it 
will be ignored and as it is being ignored, then 'Domain Users' will be 
ignored and if 'Domain Users' is ignored, then EVERY user with a 
uidNumber attribute will be ignored (except on a DC).

Give 'Domain Users' another gidNumber  inside '7000-20000' (a group can 
have the same ID number as a user)

Run 'net cache flush' on all Unix machines, then try again.

Rowland


> whenChanged: 20210421162121.0Z
> uSNChanged: 2504485
> distinguishedName: CN=Domain Users,CN=Users,DC=samdom,DC=example,DC=com
>
>

More information about the samba mailing list