[Samba] rid backend special group handling

d tbsky tbskyd at gmail.com
Wed Mar 1 16:26:28 UTC 2023


Rowland Penny via samba <samba at lists.samba.org>
> > What confuses me is the "BUILTIN\users" group. Now with command "id
> > my-account" I can see my account also belongs to the "BUILTIN\users"
> > group.
> > and the group id is "1000032" which is outside my new configuration range.
> > I didn't see that group under rfc2307 backend before. but I know the
> > "1000032" id comes from my old config, which has "idmap config *:range
> > = 1000000-1999999".
>
> It was probably coming from the winbind cache and should have bee
> cleared by running 'net cache flush' or by restarting Samba, or at the
> worst, rebooting.

    I use tdbdump to scan every tdb file, and found the "1000032" id
only exists at gencache.tdb.
"net cache flush" will flush the "gencache.tdb". but "id my-account"
will bring back the ghost "1000032" again.

>
> > After some trying I finally got rid of "1000032" by deleting
> > "group_mapping.tdb" and let samba recreate it to get the new id under
> > "5000-9999".
>
> I cannot recommend deleting files like that.

   Yes I hope not to delete it. but I can not find other ways to
rebuild the id map correctly.
maybe there is some command to rebuild it?

> NOTE: just as an aside, because you are now using the rid idmap backend,
> you now have synthetic usergroups, the user 'fred' will have a group
> called 'fred'.
> Try it: 'getent group fred'

   thanks a lot of the note. now I notice the behavior. I didn't know it before.

> The BUILTIN domain is fairly small and is handled by the default domain
> '*' and ID's are allocated from the range set in smb.conf. These ID's
> are not guaranteed to be the same on each Unix domain member, which
> isn't a problem because they are only used for administrative purposes.
> The default domain is meant for the BUILTIN domain and anything that
> isn't in the main 'SAMDOM', which is why everything ends up in the
> default domain if you really mess up the main domain.

   so you mean just ignore them since we don't use it under linux.
I am curious what groups are mapped. the group_mapping.tdb only has
three sid:S-1-5-32-{544,545,546}



More information about the samba mailing list