[Samba] messed up group ids

Rowland Penny rpenny at samba.org
Mon Oct 17 07:50:11 UTC 2022 


On 17/10/2022 04:25, Peter Carlson via samba wrote:
> I have a setup with about a dozen windows machines, and 4 ubuntu servers 
> their names are fairly obvious:
>      NC1 is the domain controler, filesvr is a file server joined to the 
> domain, xrdp is a rdp server also joined to the domain that mounts the 
> file server shares, and middleware is a non joined standalone server a 
> the moment.
> 
> I seem to have something wrong in my group SIDs:
> 
> root at filesvr:/data# ls -l BinaryData/
> drwxr-xr-x  2 SDCP\peter 2000513    4096 Sep 30 15:45 2010
> 
> root at filesvr:/data# ls -l Ca****nt-Accounting/
> -rwxrwx---+  1 SDCP\peter SDCP\accounting    105984 May 16 2011 
> 05.15.11.xls
> 
> On the file server I get errors on login:
> groups: cannot find name for group ID 2000513
> groups: cannot find name for group ID 2000512

They are definitely Domain Users & Domain Admins (RID 513 and 512)

> 
> and it cant' find all the groups while the rdp server can

No, that is wrong, if you look closely, the rdp server is missing two 
groups but the fileserver is showing two groups by ID only (not by name)

> SDCP\peter at filesvr:~$ id
> uid=2001110(SDCP\peter) gid=2000513 
> groups=2000513,10000(BUILTIN\administrators),10001(BUILTIN\users),2000512,2000572(SDCP\denied rodc password replication group),2001110(SDCP\peter),2001118(SDCP\linux admins),2001136(SDCP\remotedesktop)
> 
> SDCP\peter at xrdp:~$ id
> uid=2001110(SDCP\peter) gid=2000513(SDCP\domain users) 
> groups=2000513(SDCP\domain users),2000512(SDCP\domain 
> admins),2000572(SDCP\denied rodc password replication 
> group),2001110(SDCP\peter),2001118(SDCP\linux 
> admins),2001136(SDCP\remotedesktop)
> 
> ---------------------------------- DC 
> ---------------------------------------------------------
> # Global parameters
> [global]
>      netbios name = NC1
>      realm = SA****NT.LOCAL
>      server role = active directory domain controller
>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
>      workgroup = SDCP
>      idmap_ldb:use rfc2307 = yes
> 
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = No
> 
> [netlogon]
>      path = /var/lib/samba/sysvol/sa****nt.local/scripts
>      read only = No
> 

I really do hope '.local' is sanitising, if not, turn off Avahi and 
Bonjour everywhere.

> 
> ----------------------------------  xRDP 
> ------------------------------------------------------
> xRDP Server - not a file server, smbd is not running

So no shares, just authentication.

> [global]
> server role = standalone server

Wrong: This is not a standalone server, I suggest you remove that line.

> template homedir = /home/%U@%D
> template shell = /bin/bash
> usershare allow guests = yes

If this authentication only, why allow usershares at all ?

> kerberos method = secrets and keytab
> realm = SA****NT.LOCAL
> workgroup = SDCP
> security = ads
> idmap config SDCP : range = 2000000-2999999
> idmap config SDCP : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> 
> ------------------------------------ File Server 
> ---------------------------------------------
> [global]
> server role = standalone server

again wrong, see above

> template homedir = /home/%U@%D
> template shell = /bin/bash
> usershare allow guests = yes
> kerberos method = secrets and keytab
> realm = SA****NT.LOCAL
> workgroup = SDCP
> security = ads
> idmap config SDCP : range = 2000000-2999999
> idmap config SDCP : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> vfs objects = acl_xattr
> map acl inherit = yes
> 
> #======================= Share Definitions =======================
> [BinaryData]
>      path = /data/BinaryData
>      comment = Store for DB and Middleware
>      writable = yes
> 
> [Ca****nt-Accounting]
>      path = /data/Ca****nt-Accounting
>      comment = Accounting Files
>      writable = yes
> 

I can see no reason why two groups cannot be identified, try running 
'net cache flush' on the fileserver and see if that helps.

Rowland

More information about the samba mailing list