[Samba] winbind gives wrong primary id group
Ivan Novosad
ivan_novosad at ses.sk
Mon Aug 26 12:18:31 UTC 2024
>> Hello,
>>
>> I have fresh instalation samba 4.17.12+dfsg from apt on Debian 12.
>>
>> I made new domain ADS2
>> (https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller).
>> root at dc-ads2:/etc/samba# samba-tool domain provision --use-rfc2307
>> --realm=ADS2.SES.SK --domain=ads2 --server-role=dc
>> --dns-backend=BIND9_DLZ --adminpass=XXXXXXX
>>
>> In the future, I want to use IDMAP = ad, but for simplicity, I'm
>> currently using tdb.
>>
>> File /etc/samba/smb.conf:
>>
>> [global]
>> netbios name = DC-ADS2
>> realm = ADS2.SES.SK
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = ADS2
>>
>> idmap_ldb:use rfc2307 = yes
>>
>> template homedir = /home/%D/%U
>> template shell = /bin/bash
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/ads2.ses.sk/scripts
>> read only = No
>>
>>
>> After provisioning, there is only one user - administrator.
>> The command wbinfo displays the following information about the
>> administrator: root at dc-ads2:/tmp# wbinfo -i administrator
>> ADS2\administrator:*:0:100::/home/ADS2/administrator:/bin/bash
>>
>> root at dc-ads2:/tmp# id administrator
>> uid=0(root) gid=100(users)
>> groups=0(root),100(users),3000006(ADS2\schema
>> admins),3000007(ADS2\enterprise admins),3000004(ADS2\domain
>> admins),3000008(ADS2\group policy creator owners),3000005(ADS2\denied
>> rodc password replication
>> group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
>>
>>
>> Question 1:
>> Administrator has primaryGroupID = 513 (Domain users). Where, in which
>> file or directive, is the group 'Domain Users' mapped to the Linux
>> group 'Users (100)'?
>>
>>
>> I created a new group called IT4.
>> root at dc-ads2:/tmp# samba-tool group add IT4 --gid-number=2004
>> --nis-domain=ads2 --group-scope=Global --group-type=Security
>> --description=DomainUnixGroup Added group IT4
>>
>> I created a new user called john4.
>> root at dc-ads2:/tmp# samba-tool user create john4 Skuska. --uid=john4
>> --uid-number=3004 --gid-number=2004 --given-name=John4 --surname=Wick
>> --department=IT4 --script-path=IT4.bat User 'john4' added successfully
>>
>> root at dc-ads2:/tmp# wbinfo -i john4
>> ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
>> root at dc-ads2:/tmp# id john4
>> uid=3004(ADS2\john4) gid=100(users)
>> groups=100(users),3000009(BUILTIN\users)
>>
>>
>> I added the user john4 to the group IT4:
>> root at dc-ads2:/tmp# samba-tool group addmembers IT4 john4 Added members
>> to group IT4
>>
>> I changed the user's primary group to the previously created group
>> IT4. root at dc-ads2:/tmp# samba-tool user setprimarygroup john4 IT4
>> Changed primary group to 'IT4'
>>
>> The attributes of the user john4 are now:
>> dn: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: John4 Wick
>> sn: Wick
>> givenName: John4
>> instanceType: 4
>> whenCreated: 20240823105419.0Z
>> displayName: John4 Wick
>> uSNCreated: 4180
>> department: IT4
>> name: John4 Wick
>> objectGUID: 55fb6813-1f12-4955-b009-6840ae0f370b
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> scriptPath: IT4.bat
>> objectSid: S-1-5-21-3810246146-2675359531-1496275737-1111
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: john4
>> sAMAccountType: 805306368
>> userPrincipalName: john4 at ads2.ses.sk<mailto:john4 at ads2.ses.sk>>
>> objectCategory:
>> CN=Person,CN=Schema,CN=Configuration,DC=ads2,DC=ses,DC=sk uid: john4
>> uidNumber: 3004
>> gidNumber: 2004
>> pwdLastSet: 133688840595194710
>> userAccountControl: 512
>> memberOf: CN=Domain Users,CN=Users,DC=ads2,DC=ses,DC=sk
>> primaryGroupID: 1110
>> whenChanged: 20240823105847.0Z
>> uSNChanged: 4187
>> distinguishedName: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
>>
>> wbinfo and id now provide the following information:
>> root at dc-ads2:/tmp# wbinfo -i john4
>> ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
>> root at dc-ads2:/tmp# id john4
>> uid=3004(ADS2\john4) gid=100(users)
>> groups=100(users),2004(ADS2\it4),3000009(BUILTIN\users)
>>
>> Question 2:
>> john4 has had its primaryGroupID changed to 1110 (IT4). Why hasn't the
>> primary group changed in the wbinfo output?
>>
>> I logged in to Linux as john4 through another terminal (PuTTY)."
>>
>> And now, wbinfo and id start showing different values (the ones I
>> want). root at dc-ads2:/tmp# wbinfo -i john4
>> ADS2\john4:*:3004:2004:John4 Wick:/home/ADS2/john4:/bin/bash
>> root at dc-ads2:/tmp# id john4
>> uid=3004(ADS2\john4) gid=2004(ADS2\it4)
>> groups=2004(ADS2\it4),100(users),3000009(BUILTIN\users)
>>
>> Question 3:
>> Why does the primary group change when I log in interactively? How can
>> I configure Samba/Winbind to provide the correct values without
>> needing to log in?
>>
>>
>> Thanks in advance
>> Ivan Novosad
>
>Before we get carried away here, can I ask a few questions ?
>
>Do you have experience of setting up the old classic NT4-style domains (as in PDC's) ?
Yes. We use Samba from version 3.0.2.
>Why do you want to change the users primary group ?
Every user has primary group according to his department (in case above, the user jonh4 belongs to department IT4).
On our file servers, we use the primary group to set permissions for certain shares. We also prefer that the primary group is set when a file is created, i.e.
-rw-r--r-- 1 ADS2\john4 ADS2\it4 5 2024-08-26 14:02 aaa.txt
In production, we use samba 4.4.3. There the command wbinfo gives correct information.
root at dc-ads:/usr/local# wbinfo -i jergus_lapin
ADS\jergus_lapin:*:11214:998008:Jergus Lapin:/home/ADS/jergus_lapin:/bin/false
On new DC3 (samba 4.17.12), wbinfo gives this:
root at dc3-ads:/etc/pam.d# wbinfo -i jergus_lapin
ADS\jergus_lapin:*:11214:513::/home/ADS/jergus_lapin:/bin/false
Since I didn't want to test in the production environment, I installed a clean setup with a new domain (ADS2 mentioned in the previous email) and I'm testing it there. I assume that once we resolve it on the clean installation, we'll configure it the same way in the production environment.
>Are you thinking of using the DC as a fileserver ? (which isn't recommended).
No.
>
>Rowland
More information about the samba
mailing list