[Samba] rid backend special group handling

Rowland Penny rpenny at samba.org
Wed Mar 1 16:37:15 UTC 2023 


On 01/03/2023 16:26, d tbsky via samba wrote:
> Rowland Penny via samba <samba at lists.samba.org>
>>> What confuses me is the "BUILTIN\users" group. Now with command "id
>>> my-account" I can see my account also belongs to the "BUILTIN\users"
>>> group.
>>> and the group id is "1000032" which is outside my new configuration range.
>>> I didn't see that group under rfc2307 backend before. but I know the
>>> "1000032" id comes from my old config, which has "idmap config *:range
>>> = 1000000-1999999".
>>
>> It was probably coming from the winbind cache and should have bee
>> cleared by running 'net cache flush' or by restarting Samba, or at the
>> worst, rebooting.
> 
>      I use tdbdump to scan every tdb file, and found the "1000032" id
> only exists at gencache.tdb.
> "net cache flush" will flush the "gencache.tdb". but "id my-account"
> will bring back the ghost "1000032" again.

Strange, did you restart samba or reload the config with smbcontrol 
after making the changes to smb.conf ?

> 
>>
>>> After some trying I finally got rid of "1000032" by deleting
>>> "group_mapping.tdb" and let samba recreate it to get the new id under
>>> "5000-9999".
>>
>> I cannot recommend deleting files like that.
> 
>     Yes I hope not to delete it. but I can not find other ways to
> rebuild the id map correctly.
> maybe there is some command to rebuild it?

Not that I haven't mentioned already.

> 
>> NOTE: just as an aside, because you are now using the rid idmap backend,
>> you now have synthetic usergroups, the user 'fred' will have a group
>> called 'fred'.
>> Try it: 'getent group fred'
> 
>     thanks a lot of the note. now I notice the behavior. I didn't know it before.
> 
>> The BUILTIN domain is fairly small and is handled by the default domain
>> '*' and ID's are allocated from the range set in smb.conf. These ID's
>> are not guaranteed to be the same on each Unix domain member, which
>> isn't a problem because they are only used for administrative purposes.
>> The default domain is meant for the BUILTIN domain and anything that
>> isn't in the main 'SAMDOM', which is why everything ends up in the
>> default domain if you really mess up the main domain.
> 
>     so you mean just ignore them since we don't use it under linux.
> I am curious what groups are mapped. the group_mapping.tdb only has
> three sid:S-1-5-32-{544,545,546}
> 

Well, ignore them as in do not attempt to use them directly from Samba 
yourself, Samba will use them under the hood when required.

Rowland

More information about the samba mailing list