[Samba] messed up group ids

Peter Carlson peter at howudodat.com
Mon Oct 17 14:13:19 UTC 2022 

ok I made the recommended changes and ran net cache flush, afterwards 
Domain Users was correct, but Domain Admins not. results of "id" command 
are below


>>
>> and it cant' find all the groups while the rdp server can
>
> No, that is wrong, if you look closely, the rdp server is missing two 
> groups but the fileserver is showing two groups by ID only (not by name)

Yes I missed the 2 BUILTIN groups, I dont know if that's a problem or 
not, after net cache flush, here are the 2 servers

--------------------  RDP----------------------
uid=2001110(SDCP\peter)
gid=2000513(SDCP\domain users)
groups=
     2000513(SDCP\domain users),
     2000512(SDCP\domain admins),
     2000572(SDCP\denied rodc password replication group),
     2001110(SDCP\peter),
     2001118(SDCP\linux admins),
     2001136(SDCP\remotedesktop)

------------------- File Server ---------------
uid=2001110(SDCP\peter)
gid=2000513(SDCP\domain users)
groups=
     2000513(SDCP\domain users),
     10000(BUILTIN\administrators),
     10001(BUILTIN\users),
     2000512,
     2000572(SDCP\denied rodc password replication group),
     2001110(SDCP\peter),
     2001118(SDCP\linux admins),
     2001136(SDCP\remotedesktop)

>
> I really do hope '.local' is sanitising, if not, turn off Avahi and 
> Bonjour everywhere.
>
We have no avahi and no bonjour.  However, the .local was decided by 
someone long before me when the AD was still on windows and known as a 
PDC.  The AD was then migrated to a Synology NAS and .local was kept.  
Now I enter the picture and it was decided to move to a less vendor 
specific solution.  The AD couldn't be migrated from Synology so it was 
decided to rebuild the domain users/groups/gpos but the .local stayed 
(in a vain attempt to not have to re-join all the workstations)
>>
>> ----------------------------------  xRDP 
>> ------------------------------------------------------
>> xRDP Server - not a file server, smbd is not running
>
> So no shares, just authentication.
Correct, no shares, just auth, the user shares line got missed in the 
config, I think I just missed the line in amongst the 3000 lines of 
comments.  I'm torn on whether it's better to have each line documented 
in the config file, or just have  a clean 10 lines of config.  That's a 
debate for another day :)

More information about the samba mailing list