[Samba] rid backend special group handling

Rowland Penny rpenny at samba.org
Wed Mar 1 16:37:15 UTC 2023

On 01/03/2023 16:26, d tbsky via samba wrote:
> Rowland Penny via samba <samba at lists.samba.org>
>>> What confuses me is the "BUILTIN\users" group. Now with command "id
>>> my-account" I can see my account also belongs to the "BUILTIN\users"
>>> group.
>>> and the group id is "1000032" which is outside my new configuration range.
>>> I didn't see that group under rfc2307 backend before. but I know the
>>> "1000032" id comes from my old config, which has "idmap config *:range
>>> = 1000000-1999999".
>> It was probably coming from the winbind cache and should have bee
>> cleared by running 'net cache flush' or by restarting Samba, or at the
>> worst, rebooting.
>      I use tdbdump to scan every tdb file, and found the "1000032" id
> only exists at gencache.tdb.
> "net cache flush" will flush the "gencache.tdb". but "id my-account"
> will bring back the ghost "1000032" again.

Strange, did you restart samba or reload the config with smbcontrol 
after making the changes to smb.conf ?

>>> After some trying I finally got rid of "1000032" by deleting
>>> "group_mapping.tdb" and let samba recreate it to get the new id under
>>> "5000-9999".
>> I cannot recommend deleting files like that.
>     Yes I hope not to delete it. but I can not find other ways to
> rebuild the id map correctly.
> maybe there is some command to rebuild it?

Not that I haven't mentioned already.

>> NOTE: just as an aside, because you are now using the rid idmap backend,
>> you now have synthetic usergroups, the user 'fred' will have a group
>> called 'fred'.
>> Try it: 'getent group fred'
>     thanks a lot of the note. now I notice the behavior. I didn't know it before.
>> The BUILTIN domain is fairly small and is handled by the default domain
>> '*' and ID's are allocated from the range set in smb.conf. These ID's
>> are not guaranteed to be the same on each Unix domain member, which
>> isn't a problem because they are only used for administrative purposes.
>> The default domain is meant for the BUILTIN domain and anything that
>> isn't in the main 'SAMDOM', which is why everything ends up in the
>> default domain if you really mess up the main domain.
>     so you mean just ignore them since we don't use it under linux.
> I am curious what groups are mapped. the group_mapping.tdb only has
> three sid:S-1-5-32-{544,545,546}

Well, ignore them as in do not attempt to use them directly from Samba 
yourself, Samba will use them under the hood when required.


More information about the samba mailing list