[Samba] primary group for AD accounts

Rowland Penny rpenny at samba.org
Tue Jun 18 05:24:41 UTC 2024 

On Mon, 17 Jun 2024 22:29:26 +0200
Pavel Lisý via samba <samba at lists.samba.org> wrote:

> Hello
> 
> I have testing environment with 2 DC servers and 2 member servers.
> There is one thing which I don't understand.
> 
> On DC "Domain Users" group shows different gid
> 
> for "samba-tool" there is GID 513 in LDAP
> but "getent group" or "getent passwd" shows 100
> 
> $ sudo samba-tool group show 'domain users'
> dn: CN=Domain Users,CN=Users,DC=office,DC=company,DC=com
> objectClass: top
> objectClass: group
> cn: Domain Users
> description: All domain users
> instanceType: 4
> whenCreated: 20240520145130.0Z
> uSNCreated: 3885
> name: Domain Users
> objectGUID: 72200ac6-12aa-4da5-b3bf-3df97371fd36
> objectSid: S-1-5-21-716648387-301587334-1432759742-513
> sAMAccountName: Domain Users
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory:
> CN=Group,CN=Schema,CN=Configuration,DC=office,DC=company,DC=com
> isCriticalSystemObject: TRUE
> memberOf: CN=Users,CN=Builtin,DC=office,DC=company,DC=com
> gidNumber: 513
> whenChanged: 20240615165133.0Z
> uSNChanged: 4608
> distinguishedName: CN=Domain
> Users,CN=Users,DC=office,DC=company,DC=com
> 
> 
> 
> $ getent group | grep -i users
> users:x:100:
> BUILTIN\users:x:3000009:
> BUILTIN\remote desktop users:x:3000023:
> BUILTIN\performance monitor users:x:3000026:
> BUILTIN\performance log users:x:3000027:
> BUILTIN\distributed com users:x:3000030:
> OFFICE\domain users:x:100:
> OFFICE\protected users:x:3000043:
> 
> $ getent group
> OFFICE\administrator:*:0:100::/home/OFFICE/administrator:/bin/bash
> OFFICE\guest:*:3000011:3000012::/home/OFFICE/guest:/bin/bash
> OFFICE\krbtgt:*:3000015:100::/home/OFFICE/krbtgt:/bin/bash
> OFFICE\dhcpduser:*:3000016:100::/home/OFFICE/dhcpduser:/bin/bash
> OFFICE\koksy:*:3001:100::/home/OFFICE/koksy:/bin/bash
> OFFICE\lupo:*:3002:100::/home/OFFICE/lupo:/bin/bash
> 
> How it could be possible?
> 
> Pavel

I am fairly sure what is going on here, but to confirm it, can you
please post the output of 'samba-tool testparm' when run on the DCs
(both of them) and the output of 'testparm -s' when run on the Unix
domain members (if they are both the same, we only need one).

Rowland

More information about the samba mailing list