[Samba] winbind gives wrong primary id group
Ivan Novosad
ivan_novosad at ses.sk
Fri Aug 23 11:58:35 UTC 2024
Hello,
I have fresh instalation samba 4.17.12+dfsg from apt on Debian 12.
I made new domain ADS2 (https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller).
root at dc-ads2:/etc/samba# samba-tool domain provision --use-rfc2307 --realm=ADS2.SES.SK --domain=ads2 --server-role=dc --dns-backend=BIND9_DLZ --adminpass=XXXXXXX
In the future, I want to use IDMAP = ad, but for simplicity, I'm currently using tdb.
File /etc/samba/smb.conf:
[global]
netbios name = DC-ADS2
realm = ADS2.SES.SK
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = ADS2
idmap_ldb:use rfc2307 = yes
template homedir = /home/%D/%U
template shell = /bin/bash
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/ads2.ses.sk/scripts
read only = No
After provisioning, there is only one user - administrator.
The command wbinfo displays the following information about the administrator:
root at dc-ads2:/tmp# wbinfo -i administrator
ADS2\administrator:*:0:100::/home/ADS2/administrator:/bin/bash
root at dc-ads2:/tmp# id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000006(ADS2\schema admins),3000007(ADS2\enterprise admins),3000004(ADS2\domain admins),3000008(ADS2\group policy creator owners),3000005(ADS2\denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
Question 1:
Administrator has primaryGroupID = 513 (Domain users). Where, in which file or directive, is the group 'Domain Users' mapped to the Linux group 'Users (100)'?
I created a new group called IT4.
root at dc-ads2:/tmp# samba-tool group add IT4 --gid-number=2004 --nis-domain=ads2 --group-scope=Global --group-type=Security --description=DomainUnixGroup
Added group IT4
I created a new user called john4.
root at dc-ads2:/tmp# samba-tool user create john4 Skuska. --uid=john4 --uid-number=3004 --gid-number=2004 --given-name=John4 --surname=Wick --department=IT4 --script-path=IT4.bat
User 'john4' added successfully
root at dc-ads2:/tmp# wbinfo -i john4
ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
root at dc-ads2:/tmp# id john4
uid=3004(ADS2\john4) gid=100(users) groups=100(users),3000009(BUILTIN\users)
I added the user john4 to the group IT4:
root at dc-ads2:/tmp# samba-tool group addmembers IT4 john4
Added members to group IT4
I changed the user's primary group to the previously created group IT4.
root at dc-ads2:/tmp# samba-tool user setprimarygroup john4 IT4
Changed primary group to 'IT4'
The attributes of the user john4 are now:
dn: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: John4 Wick
sn: Wick
givenName: John4
instanceType: 4
whenCreated: 20240823105419.0Z
displayName: John4 Wick
uSNCreated: 4180
department: IT4
name: John4 Wick
objectGUID: 55fb6813-1f12-4955-b009-6840ae0f370b
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: IT4.bat
objectSid: S-1-5-21-3810246146-2675359531-1496275737-1111
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: john4
sAMAccountType: 805306368
userPrincipalName: john4 at ads2.ses.sk<mailto:john4 at ads2.ses.sk>
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ads2,DC=ses,DC=sk
uid: john4
uidNumber: 3004
gidNumber: 2004
pwdLastSet: 133688840595194710
userAccountControl: 512
memberOf: CN=Domain Users,CN=Users,DC=ads2,DC=ses,DC=sk
primaryGroupID: 1110
whenChanged: 20240823105847.0Z
uSNChanged: 4187
distinguishedName: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
wbinfo and id now provide the following information:
root at dc-ads2:/tmp# wbinfo -i john4
ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
root at dc-ads2:/tmp# id john4
uid=3004(ADS2\john4) gid=100(users) groups=100(users),2004(ADS2\it4),3000009(BUILTIN\users)
Question 2:
john4 has had its primaryGroupID changed to 1110 (IT4). Why hasn't the primary group changed in the wbinfo output?
I logged in to Linux as john4 through another terminal (PuTTY)."
And now, wbinfo and id start showing different values (the ones I want).
root at dc-ads2:/tmp# wbinfo -i john4
ADS2\john4:*:3004:2004:John4 Wick:/home/ADS2/john4:/bin/bash
root at dc-ads2:/tmp# id john4
uid=3004(ADS2\john4) gid=2004(ADS2\it4) groups=2004(ADS2\it4),100(users),3000009(BUILTIN\users)
Question 3:
Why does the primary group change when I log in interactively? How can I configure Samba/Winbind to provide the correct values without needing to log in?
Thanks in advance
Ivan Novosad
More information about the samba
mailing list