[Samba] rid backend special group handling

Rowland Penny rpenny at samba.org
Wed Mar 1 15:35:05 UTC 2023 


On 01/03/2023 14:59, d tbsky via samba wrote:
> Hi:
>      I want to convert our samba file server from rfc2307 to rid backend.
> the configuration looks like:
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 5000-9999
>     idmap config SAMDOM:backend = rid
>     idmap config SAMDOM:range = 10000-999999
>     idmap config SAMDOM:unix_primary_group = yes
> 
> Most things work fine. normal user-id and group-id changed. so we
> change owners and acls to correct new id, then the file server works
> as usual.
> 
> but now there are new windows users/groups which we didn't set rfc2307
> attributes before coming to our file server. "domain users" is fine.
> in windows we can also see accounts belonging to "domain users". and
> "domain users" also get a new gid correctly under linux.

I am willing to bet that Domain users now has the GID 10513

> 
> What confuses me is the "BUILTIN\users" group. Now with command "id
> my-account" I can see my account also belongs to the "BUILTIN\users"
> group.
> and the group id is "1000032" which is outside my new configuration range.
> I didn't see that group under rfc2307 backend before. but I know the
> "1000032" id comes from my old config, which has "idmap config *:range
> = 1000000-1999999".

It was probably coming from the winbind cache and should have bee 
cleared by running 'net cache flush' or by restarting Samba, or at the 
worst, rebooting.

> After some trying I finally got rid of "1000032" by deleting
> "group_mapping.tdb" and let samba recreate it to get the new id under
> "5000-9999".

I cannot recommend deleting files like that.

> 
> I want to know more about how samba deals with these special groups.
> There is little information at wiki. After searching the email list, I
> found some discussion that only "Administrators","Guests","Users"
> Builtin groups are mapped under samba.
> Is there more information about how sambe handles these special groups?
> 

If you run 'wbinfo --all-domains' you should get something like this

BUILTIN
THE_COMPUTERS_HOSTNAME
SAMDOM

Samba when running as a Unix domain member seem to ignore the middle one.

The 'SAMDOM' domain ID's are set via the 'idmap config SAMDOM' lines in 
smb.conf and as you are now using the rid idmap backend, they are 
calculated like this:

ID = RID + low range number

So in your case:

ID = RID + 10000

So coming back to Domain Users (which has the RID 513):

10513 = 513 + 10513

This means that anything in AD that is a member of the 'SAMDOM' domain 
will get an ID.

NOTE: just as an aside, because you are now using the rid idmap backend, 
you now have synthetic usergroups, the user 'fred' will have a group 
called 'fred'.
Try it: 'getent group fred'

The BUILTIN domain is fairly small and is handled by the default domain 
'*' and ID's are allocated from the range set in smb.conf. These ID's 
are not guaranteed to be the same on each Unix domain member, which 
isn't a problem because they are only used for administrative purposes.
The default domain is meant for the BUILTIN domain and anything that 
isn't in the main 'SAMDOM', which is why everything ends up in the 
default domain if you really mess up the main domain.

Rowland

More information about the samba mailing list