[Samba] Group mappings on a domain member

Robert Marcano robert at marcanoonline.com
Thu Feb 24 13:57:04 UTC 2022 

On 2/23/22 4:14 PM, Rowland Penny via samba wrote:
> On Wed, 2022-02-23 at 15:21 -0400, Robert Marcano via samba wrote:
>> Greetings.
>>
>> On a Samba based AD domain member, what is the relationship between:
>>
>>     # net groupmap list
>>     Guests (S-1-5-32-546) -> 100004
>>     Administrators (S-1-5-32-544) -> 100003
>>     Users (S-1-5-32-545) -> 100001
> 
> I would be more worried that you are getting numbers back instead of
> names:
> 
> rowland at devstation:~$ sudo net groupmap list
> Guests (S-1-5-32-546) -> BUILTIN\guests
> Administrators (S-1-5-32-544) -> BUILTIN\administrators
> Users (S-1-5-32-545) -> BUILTIN\users
> 
>>
>> and
>>
>>     # wbinfo --sid-to-gid=S-1-5-11
>>     100002
> 
> I do not get anything back:
> 
> rowland at devstation:~$ sudo wbinfo --sid-to-gid=S-1-5-11
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-11 to gid

This server has a few share with ACL for S-1-5-11 (Authenticated users) 
so maybe Samba is forced to create a id mapping because of that.

> 
>>
>> The first one doesn't show any reference to the wbinfo mapping of
>> S-1-5-11 (Authenticated Users), Should I be worried of this? why two
>> different databases for group mappings, group_mapping.tdb and
>> winbindd_idmap.tdb?
>>
>> Note: the id mapping configurations is:
>>
>>     idmap config MYDOMAIN : range = 278000000-278999999
>>     idmap config MYDOMAIN : backend = rid
>>     idmap config * : range = 100000-200000
>>     idmap config * : backend = tdb
> 
> There is probably a valid reason why you use those ranges, but why ?

Compatibility with workstations using SSSD for domain authentication. 
This is the domain algorithmic generated range by SSSD, the joined 
server running Samba exclusively is just using the same range.
> 
> I wouldn't worry about any of this, unless you are having problems you
> haven't mentioned.

No problems here, only wondering how those two mapping databases 
interact. do winbind search first for group mapings, or not use at all. 
should I use `wbinfo --set-gid-mapping=GID,SID` instead, for mapping 
these internal SIDs like S-1-5-11

> 
> Rowland
> 
> 
>

More information about the samba mailing list