[Samba] primary group for AD accounts

Tue Jun 18 11:38:53 UTC 2024

On Tue, 18 Jun 2024 13:24:00 +0200
PaLi via samba <samba at lists.samba.org> wrote:

> On Tue, 2024-06-18 at 06:24 +0100, Rowland Penny via samba wrote:
> > On Mon, 17 Jun 2024 22:29:26 +0200
> > Pavel Lisý via samba <samba at lists.samba.org> wrote:
> > 
> > > Hello
> > > 
> > > I have testing environment with 2 DC servers and 2 member servers.
> > > There is one thing which I don't understand.
> > > 
> > > On DC "Domain Users" group shows different gid
> > > 
> > > for "samba-tool" there is GID 513 in LDAP
> > > but "getent group" or "getent passwd" shows 100
> > > 
> > > $ sudo samba-tool group show 'domain users'
> > > dn: CN=Domain Users,CN=Users,DC=office,DC=company,DC=com
> > > objectClass: top
> > > objectClass: group
> > > cn: Domain Users
> > > description: All domain users
> > > instanceType: 4
> > > whenCreated: 20240520145130.0Z
> > > uSNCreated: 3885
> > > name: Domain Users
> > > objectGUID: 72200ac6-12aa-4da5-b3bf-3df97371fd36
> > > objectSid: S-1-5-21-716648387-301587334-1432759742-513
> > > sAMAccountName: Domain Users
> > > sAMAccountType: 268435456
> > > groupType: -2147483646
> > > objectCategory:
> > > CN=Group,CN=Schema,CN=Configuration,DC=office,DC=company,DC=com
> > > isCriticalSystemObject: TRUE
> > > memberOf: CN=Users,CN=Builtin,DC=office,DC=company,DC=com
> > > gidNumber: 513
> > > whenChanged: 20240615165133.0Z
> > > uSNChanged: 4608
> > > distinguishedName: CN=Domain
> > > Users,CN=Users,DC=office,DC=company,DC=com
> > > 
> > > 
> > > 
> > > $ getent group | grep -i users
> > > users:x:100:
> > > BUILTIN\users:x:3000009:
> > > BUILTIN\remote desktop users:x:3000023:
> > > BUILTIN\performance monitor users:x:3000026:
> > > BUILTIN\performance log users:x:3000027:
> > > BUILTIN\distributed com users:x:3000030:
> > > OFFICE\domain users:x:100:
> > > OFFICE\protected users:x:3000043:
> > > 
> > > $ getent group
> > > OFFICE\administrator:*:0:100::/home/OFFICE/administrator:/bin/bash
> > > OFFICE\guest:*:3000011:3000012::/home/OFFICE/guest:/bin/bash
> > > OFFICE\krbtgt:*:3000015:100::/home/OFFICE/krbtgt:/bin/bash
> > > OFFICE\dhcpduser:*:3000016:100::/home/OFFICE/dhcpduser:/bin/bash
> > > OFFICE\koksy:*:3001:100::/home/OFFICE/koksy:/bin/bash
> > > OFFICE\lupo:*:3002:100::/home/OFFICE/lupo:/bin/bash
> > > 
> > > How it could be possible?
> > > 
> > > Pavel
> > 
> > I am fairly sure what is going on here, but to confirm it, can you
> > please post the output of 'samba-tool testparm' when run on the DCs
> > (both of them) and the output of 'testparm -s' when run on the Unix
> > domain members (if they are both the same, we only need one).
> I'm not able to send it now as I have test env on different computer, 
> I will send it later today.
> 
> But to be clear, all listings above are from first DC only
> 
> I don't have problems with members, as on them I can configure winbind
> and it seems to react correctly to changes.
> 
> Pavel
> 
> 

I need to see the information I asked for, that way I can give a
definitive answer, but what I can say is that using the RID for Domain
Users as its gidNumber isn't a good idea.

Rowland