[Samba] messed up group ids
Peter Carlson
peter at howudodat.com
Mon Oct 17 14:13:19 UTC 2022
ok I made the recommended changes and ran net cache flush, afterwards
Domain Users was correct, but Domain Admins not. results of "id" command
are below
>>
>> and it cant' find all the groups while the rdp server can
>
> No, that is wrong, if you look closely, the rdp server is missing two
> groups but the fileserver is showing two groups by ID only (not by name)
Yes I missed the 2 BUILTIN groups, I dont know if that's a problem or
not, after net cache flush, here are the 2 servers
-------------------- RDP----------------------
uid=2001110(SDCP\peter)
gid=2000513(SDCP\domain users)
groups=
2000513(SDCP\domain users),
2000512(SDCP\domain admins),
2000572(SDCP\denied rodc password replication group),
2001110(SDCP\peter),
2001118(SDCP\linux admins),
2001136(SDCP\remotedesktop)
------------------- File Server ---------------
uid=2001110(SDCP\peter)
gid=2000513(SDCP\domain users)
groups=
2000513(SDCP\domain users),
10000(BUILTIN\administrators),
10001(BUILTIN\users),
2000512,
2000572(SDCP\denied rodc password replication group),
2001110(SDCP\peter),
2001118(SDCP\linux admins),
2001136(SDCP\remotedesktop)
>
> I really do hope '.local' is sanitising, if not, turn off Avahi and
> Bonjour everywhere.
>
We have no avahi and no bonjour. However, the .local was decided by
someone long before me when the AD was still on windows and known as a
PDC. The AD was then migrated to a Synology NAS and .local was kept.
Now I enter the picture and it was decided to move to a less vendor
specific solution. The AD couldn't be migrated from Synology so it was
decided to rebuild the domain users/groups/gpos but the .local stayed
(in a vain attempt to not have to re-join all the workstations)
>>
>> ---------------------------------- xRDP
>> ------------------------------------------------------
>> xRDP Server - not a file server, smbd is not running
>
> So no shares, just authentication.
Correct, no shares, just auth, the user shares line got missed in the
config, I think I just missed the line in amongst the 3000 lines of
comments. I'm torn on whether it's better to have each line documented
in the config file, or just have a clean 10 lines of config. That's a
debate for another day :)
More information about the samba
mailing list