[Samba] primary group for AD accounts

pavel.lisy at gmail.com pavel.lisy at gmail.com
Tue Jun 18 11:24:00 UTC 2024 

On Tue, 2024-06-18 at 06:24 +0100, Rowland Penny via samba wrote:
> On Mon, 17 Jun 2024 22:29:26 +0200
> Pavel Lisý via samba <samba at lists.samba.org> wrote:
> 
> > Hello
> > 
> > I have testing environment with 2 DC servers and 2 member servers.
> > There is one thing which I don't understand.
> > 
> > On DC "Domain Users" group shows different gid
> > 
> > for "samba-tool" there is GID 513 in LDAP
> > but "getent group" or "getent passwd" shows 100
> > 
> > $ sudo samba-tool group show 'domain users'
> > dn: CN=Domain Users,CN=Users,DC=office,DC=company,DC=com
> > objectClass: top
> > objectClass: group
> > cn: Domain Users
> > description: All domain users
> > instanceType: 4
> > whenCreated: 20240520145130.0Z
> > uSNCreated: 3885
> > name: Domain Users
> > objectGUID: 72200ac6-12aa-4da5-b3bf-3df97371fd36
> > objectSid: S-1-5-21-716648387-301587334-1432759742-513
> > sAMAccountName: Domain Users
> > sAMAccountType: 268435456
> > groupType: -2147483646
> > objectCategory:
> > CN=Group,CN=Schema,CN=Configuration,DC=office,DC=company,DC=com
> > isCriticalSystemObject: TRUE
> > memberOf: CN=Users,CN=Builtin,DC=office,DC=company,DC=com
> > gidNumber: 513
> > whenChanged: 20240615165133.0Z
> > uSNChanged: 4608
> > distinguishedName: CN=Domain
> > Users,CN=Users,DC=office,DC=company,DC=com
> > 
> > 
> > 
> > $ getent group | grep -i users
> > users:x:100:
> > BUILTIN\users:x:3000009:
> > BUILTIN\remote desktop users:x:3000023:
> > BUILTIN\performance monitor users:x:3000026:
> > BUILTIN\performance log users:x:3000027:
> > BUILTIN\distributed com users:x:3000030:
> > OFFICE\domain users:x:100:
> > OFFICE\protected users:x:3000043:
> > 
> > $ getent group
> > OFFICE\administrator:*:0:100::/home/OFFICE/administrator:/bin/bash
> > OFFICE\guest:*:3000011:3000012::/home/OFFICE/guest:/bin/bash
> > OFFICE\krbtgt:*:3000015:100::/home/OFFICE/krbtgt:/bin/bash
> > OFFICE\dhcpduser:*:3000016:100::/home/OFFICE/dhcpduser:/bin/bash
> > OFFICE\koksy:*:3001:100::/home/OFFICE/koksy:/bin/bash
> > OFFICE\lupo:*:3002:100::/home/OFFICE/lupo:/bin/bash
> > 
> > How it could be possible?
> > 
> > Pavel
> 
> I am fairly sure what is going on here, but to confirm it, can you
> please post the output of 'samba-tool testparm' when run on the DCs
> (both of them) and the output of 'testparm -s' when run on the Unix
> domain members (if they are both the same, we only need one).
I'm not able to send it now as I have test env on different computer, 
I will send it later today.

But to be clear, all listings above are from first DC only

I don't have problems with members, as on them I can configure winbind
and it seems to react correctly to changes.

Pavel

More information about the samba mailing list