[Samba] primary group for AD accounts

pavel.lisy at gmail.com pavel.lisy at gmail.com
Tue Jun 18 13:25:03 UTC 2024 

On Tue, 2024-06-18 at 12:38 +0100, Rowland Penny via samba wrote:
> On Tue, 18 Jun 2024 13:24:00 +0200
> PaLi via samba <samba at lists.samba.org> wrote:
> 
> > On Tue, 2024-06-18 at 06:24 +0100, Rowland Penny via samba wrote:
> > > On Mon, 17 Jun 2024 22:29:26 +0200
> > > Pavel Lisý via samba <samba at lists.samba.org> wrote:
> > > 
> > > > Hello
> > > > 
> > > > I have testing environment with 2 DC servers and 2 member
> > > > servers.
> > > > There is one thing which I don't understand.
> > > > 
> > > > On DC "Domain Users" group shows different gid
> > > > 
> > > > for "samba-tool" there is GID 513 in LDAP
> > > > but "getent group" or "getent passwd" shows 100
> > > > 
> > > > $ sudo samba-tool group show 'domain users'
> > > > dn: CN=Domain Users,CN=Users,DC=office,DC=company,DC=com
> > > > objectClass: top
> > > > objectClass: group
> > > > cn: Domain Users
> > > > description: All domain users
> > > > instanceType: 4
> > > > whenCreated: 20240520145130.0Z
> > > > uSNCreated: 3885
> > > > name: Domain Users
> > > > objectGUID: 72200ac6-12aa-4da5-b3bf-3df97371fd36
> > > > objectSid: S-1-5-21-716648387-301587334-1432759742-513
> > > > sAMAccountName: Domain Users
> > > > sAMAccountType: 268435456
> > > > groupType: -2147483646
> > > > objectCategory:
> > > > CN=Group,CN=Schema,CN=Configuration,DC=office,DC=company,DC=com
> > > > isCriticalSystemObject: TRUE
> > > > memberOf: CN=Users,CN=Builtin,DC=office,DC=company,DC=com
> > > > gidNumber: 513
> > > > whenChanged: 20240615165133.0Z
> > > > uSNChanged: 4608
> > > > distinguishedName: CN=Domain
> > > > Users,CN=Users,DC=office,DC=company,DC=com
> > > > 
> > > > 
> > > > 
> > > > $ getent group | grep -i users
> > > > users:x:100:
> > > > BUILTIN\users:x:3000009:
> > > > BUILTIN\remote desktop users:x:3000023:
> > > > BUILTIN\performance monitor users:x:3000026:
> > > > BUILTIN\performance log users:x:3000027:
> > > > BUILTIN\distributed com users:x:3000030:
> > > > OFFICE\domain users:x:100:
> > > > OFFICE\protected users:x:3000043:
> > > > 
> > > > $ getent group
> > > > OFFICE\administrator:*:0:100::/home/OFFICE/administrator:/bin/b
> > > > ash
> > > > OFFICE\guest:*:3000011:3000012::/home/OFFICE/guest:/bin/bash
> > > > OFFICE\krbtgt:*:3000015:100::/home/OFFICE/krbtgt:/bin/bash
> > > > OFFICE\dhcpduser:*:3000016:100::/home/OFFICE/dhcpduser:/bin/bas
> > > > h
> > > > OFFICE\koksy:*:3001:100::/home/OFFICE/koksy:/bin/bash
> > > > OFFICE\lupo:*:3002:100::/home/OFFICE/lupo:/bin/bash
> > > > 
> > > > How it could be possible?
> > > > 
> > > > Pavel
> > > 
> > > I am fairly sure what is going on here, but to confirm it, can
> > > you
> > > please post the output of 'samba-tool testparm' when run on the
> > > DCs
> > > (both of them) and the output of 'testparm -s' when run on the
> > > Unix
> > > domain members (if they are both the same, we only need one).
> > I'm not able to send it now as I have test env on different
> > computer, 
> > I will send it later today.
> > 
> > But to be clear, all listings above are from first DC only
> > 
> > I don't have problems with members, as on them I can configure
> > winbind
> > and it seems to react correctly to changes.
> > 
> > Pavel
> > 
> > 
> 
> I need to see the information I asked for, that way I can give a
> definitive answer, but what I can say is that using the RID for
> Domain
> Users as its gidNumber isn't a good idea.
> 
> Rowland

on DC - dc31:
-------------
$ sudo samba-tool testparm

INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
packages/samba/netcmd/testparm.py #96: Loaded smb config files from
/etc/samba/smb.conf
INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
packages/samba/netcmd/testparm.py #97: Loaded services file OK.
Press enter to see a dump of your service definitions

# Global parameters
[global]
	bind interfaces only = Yes
	dns forwarder = 127.0.0.53
	interfaces = lo enp1s0
	netbios name = DC31
	realm = OFFICE.COMPANY.COM
	server role = active directory domain controller
	template homedir = /home/%D/%U
	template shell = /bin/bash
	winbind enum groups = Yes
	winbind enum users = Yes
	workgroup = OFFICE
	idmap_ldb:use rfc2307 = yes

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/office.company.com/scripts
	read only = No

[homes]
	comment = Home Directories
	inherit acls = Yes
	read only = No
	valid users = %S %D%w%S


on DC - dc31:
-------------
$ sudo testparm -s

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
fallback)

Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
	bind interfaces only = Yes
	dns forwarder = 127.0.0.53
	interfaces = lo enp1s0
	passdb backend = samba_dsdb
	realm = OFFICE.COMPANY.COM
	server role = active directory domain controller
	template shell = /bin/bash
	winbind enum groups = Yes
	winbind enum users = Yes
	workgroup = OFFICE
	rpc_server:tcpip = no
	rpc_daemon:spoolssd = embedded
	rpc_server:spoolss = embedded
	rpc_server:winreg = embedded
	rpc_server:ntsvcs = embedded
	rpc_server:eventlog = embedded
	rpc_server:srvsvc = embedded
	rpc_server:svcctl = embedded
	rpc_server:default = external
	winbindd:use external pipes = true
	idmap_ldb:use rfc2307 = yes
	idmap config * : backend = tdb
	map archive = No
	vfs objects = dfs_samba4 acl_xattr


[sysvol]
	path = /var/lib/samba/sysvol
	read only = No


[netlogon]
	path = /var/lib/samba/sysvol/office.company.com/scripts
	read only = No


[homes]
	comment = Home Directories
	inherit acls = Yes
	read only = No
	valid users = %S %D%w%S


on member - smbubu48:

---------------------
$ sudo samba-tool testparm

INFO 2024-06-12 17:11:33,740 pid:29617 /usr/lib/python3/dist-
packages/samba/netcmd/testparm.py #96: Loaded smb config files from
/etc/samba/smb.conf
INFO 2024-06-12 17:11:33,741 pid:29617 /usr/lib/python3/dist-
packages/samba/netcmd/testparm.py #97: Loaded services file OK.
Press enter to see a dump of your service definitions

# Global parameters
[global]
	log level = 0
	netbios name = SMBUBU48
	realm = OFFICE.COMPANY.COM
	security = DOMAIN
	server role = member server
	template homedir = /home/%D/%U
	template shell = /bin/bash
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind rpc only = Yes
	winbind use default domain = Yes
	workgroup = OFFICE
	idmap config office : unix_primary_group = yes
	idmap config office : unix_nss_info = yes
	idmap config office : range = 1000-9999
	idmap config office : schema_mode = rfc2307
	idmap config office : backend = ad
	idmap config * : range = 10000-19999
	idmap config * : backend = tdb
	map acl inherit = Yes
	store dos attributes = Yes
	vfs objects = acl_xattr

[homes]
	comment = Home Directories
	inherit acls = Yes
	read only = No
	valid users = %S %D%w%S


on member - smbubu48:
---------------------
sudo testparm -s

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
fallback)

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
	kdc enable fast = No
	realm = OFFICE.COMPANY.COM
	security = DOMAIN
	server role = member server
	template shell = /bin/bash
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind rpc only = Yes
	winbind use default domain = Yes
	workgroup = OFFICE
	idmap config office : unix_primary_group = yes
	idmap config office : unix_nss_info = yes
	idmap config office : range = 1000-9999
	idmap config office : schema_mode = rfc2307
	idmap config office : backend = ad
	idmap config * : range = 10000-19999
	idmap config * : backend = tdb
	map acl inherit = Yes
	vfs objects = acl_xattr


[homes]
	comment = Home Directories
	inherit acls = Yes
	read only = No
	valid users = %S %D%w%S


that's all

Pavel

More information about the samba mailing list