[Samba] primary group for AD accounts

pavel.lisy at gmail.com pavel.lisy at gmail.com
Sat Jun 22 18:12:14 UTC 2024 

Hi

I've just recreated whole environment and after DC provision
 group "domain users" has gid 100

getent passwd
OFFICE\administrator:*:0:100::/home/OFFICE/administrator:/bin/bash
OFFICE\guest:*:3000011:3000012::/home/OFFICE/guest:/bin/bash
OFFICE\krbtgt:*:3000015:100::/home/OFFICE/krbtgt:/bin/bash
OFFICE\dhcpduser:*:3000016:100::/home/OFFICE/dhcpduser:/bin/bash

getent group
...
BUILTIN\administrators:x:3000000:
BUILTIN\users:x:3000001:
BUILTIN\guests:x:3000002:
BUILTIN\account operators:x:3000009:
BUILTIN\server operators:x:3000010:
BUILTIN\print operators:x:3000011:
BUILTIN\backup operators:x:3000012:
BUILTIN\replicator:x:3000013:
BUILTIN\pre-windows 2000 compatible access:x:3000014:
BUILTIN\remote desktop users:x:3000015:
BUILTIN\network configuration operators:x:3000016:
BUILTIN\incoming forest trust builders:x:3000017:
BUILTIN\performance monitor users:x:3000018:
BUILTIN\performance log users:x:3000019:
BUILTIN\windows authorization access group:x:3000020:
BUILTIN\terminal server license servers:x:3000021:
BUILTIN\distributed com users:x:3000022:
BUILTIN\iis_iusrs:x:3000023:
BUILTIN\cryptographic operators:x:3000024:
BUILTIN\event log readers:x:3000025:
BUILTIN\certificate service dcom access:x:3000026:
OFFICE\cert publishers:x:3000027:
OFFICE\ras and ias servers:x:3000028:
OFFICE\allowed rodc password replication group:x:3000029:
OFFICE\denied rodc password replication group:x:3000030:
OFFICE\dnsadmins:x:3000031:
OFFICE\enterprise read-only domain controllers:x:3000032:
OFFICE\domain admins:x:3000033:
OFFICE\domain users:x:100:
OFFICE\domain guests:x:3000004:
OFFICE\domain computers:x:3000034:
OFFICE\domain controllers:x:3000035:
OFFICE\schema admins:x:3000036:
OFFICE\enterprise admins:x:3000037:
OFFICE\group policy creator owners:x:3000038:
OFFICE\read-only domain controllers:x:3000039:
OFFICE\protected users:x:3000040:
OFFICE\dnsupdateproxy:x:3000041:


Can somebody explain me:
Is this intended configuration (normal behaviour) or is there something
wrong?

Now I remebered why I've tried change it to something known to me (gid:
513)

Pavel

On Tue, 2024-06-18 at 15:36 +0100, Rowland Penny via samba wrote:
> On Tue, 18 Jun 2024 15:25:03 +0200
> PaLi via samba <samba at lists.samba.org> wrote:
> 
> > 
> > on DC - dc31:
> > -------------
> > $ sudo samba-tool testparm
> > 
> > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
> > packages/samba/netcmd/testparm.py #96: Loaded smb config files from
> > /etc/samba/smb.conf
> > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
> > packages/samba/netcmd/testparm.py #97: Loaded services file OK.
> > Press enter to see a dump of your service definitions
> > 
> > # Global parameters
> > [global]
> > bind interfaces only = Yes
> > dns forwarder = 127.0.0.53
> 
> What is '127.0.0.53' ?
> I would expect an external (external to office.company.com) dns
> server,
> such as googles 8.8.8.8
> 
> > interfaces = lo enp1s0
> > netbios name = DC31
> > realm = OFFICE.COMPANY.COM
> > server role = active directory domain controller
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > winbind enum groups = Yes
> > winbind enum users = Yes
> 
> You should only have the 'winbind enum' lines for testing purposes,
> they can slow things down in production.
> 
> > workgroup = OFFICE
> > idmap_ldb:use rfc2307 = yes
> > 
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> > 
> > [netlogon]
> > path = /var/lib/samba/sysvol/office.company.com/scripts
> > read only = No
> > 
> > [homes]
> > comment = Home Directories
> > inherit acls = Yes
> > read only = No
> > valid users = %S %D%w%S
> 
> This is a DC, you must set the permissions from Windows, therefor the
> 'inherit acls' and valid users' lines shouldn't be used.
> 
> > 
> > 
> > on DC - dc31:
> > -------------
> > $ sudo testparm -s
> 
> No, you should have used 'samba-tool testparm', I know it is a bit
> confusing, but it is 'samba-tool testparm' on Samba AD DCs and
> 'testparm
> -s' on everything else.
> 
> > 
> > Load smb config files from /etc/samba/smb.conf
> > Loaded services file OK.
> > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> > fallback)
> > 
> > Server role: ROLE_ACTIVE_DIRECTORY_DC
> > 
> > # Global parameters
> > [global]
> > bind interfaces only = Yes
> > dns forwarder = 127.0.0.53
> > interfaces = lo enp1s0
> > passdb backend = samba_dsdb
> > realm = OFFICE.COMPANY.COM
> > server role = active directory domain controller
> > template shell = /bin/bash
> > winbind enum groups = Yes
> > winbind enum users = Yes
> > workgroup = OFFICE
> > rpc_server:tcpip = no
> > rpc_daemon:spoolssd = embedded
> > rpc_server:spoolss = embedded
> > rpc_server:winreg = embedded
> > rpc_server:ntsvcs = embedded
> > rpc_server:eventlog = embedded
> > rpc_server:srvsvc = embedded
> > rpc_server:svcctl = embedded
> > rpc_server:default = external
> > winbindd:use external pipes = true
> > idmap_ldb:use rfc2307 = yes
> > idmap config * : backend = tdb
> > map archive = No
> > vfs objects = dfs_samba4 acl_xattr
> > 
> > 
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> > 
> > 
> > [netlogon]
> > path = /var/lib/samba/sysvol/office.company.com/scripts
> > read only = No
> > 
> > 
> > [homes]
> > comment = Home Directories
> > inherit acls = Yes
> > read only = No
> > valid users = %S %D%w%S
> 
> Same comments as the other DC.
> 
> > 
> > 
> > on member - smbubu48:
> > 
> > ---------------------
> > $ sudo samba-tool testparm
> > 
> > INFO 2024-06-12 17:11:33,740 pid:29617 /usr/lib/python3/dist-
> > packages/samba/netcmd/testparm.py #96: Loaded smb config files from
> > /etc/samba/smb.conf
> > INFO 2024-06-12 17:11:33,741 pid:29617 /usr/lib/python3/dist-
> > packages/samba/netcmd/testparm.py #97: Loaded services file OK.
> > Press enter to see a dump of your service definitions
> > 
> > # Global parameters
> > [global]
> > log level = 0
> > netbios name = SMBUBU48
> > realm = OFFICE.COMPANY.COM
> > security = DOMAIN
> 
> Sorry but that is wrong, it should be 'security = ADS'
> 
> > server role = member server
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > winbind enum groups = Yes
> > winbind enum users = Yes
> 
> Same comment as the DCs
> 
> > winbind rpc only = Yes
> 
> I would remove the line above.
> 
> > winbind use default domain = Yes
> > workgroup = OFFICE
> > idmap config office : unix_primary_group = yes
> > idmap config office : unix_nss_info = yes
> > idmap config office : range = 1000-9999
> 
> The gidNumber you gave Domain Users (513) is outside the OFFICE
> range,
> so all your users will probably be getting IDs in the 10000-19999
> range.
> 
> > idmap config office : schema_mode = rfc2307
> > idmap config office : backend = ad
> > idmap config * : range = 10000-19999
> > idmap config * : backend = tdb
> > map acl inherit = Yes
> > store dos attributes = Yes
> > vfs objects = acl_xattr
> > 
> > [homes]
> > comment = Home Directories
> > inherit acls = Yes
> > read only = No
> > valid users = %S %D%w%S
> > 
> > 
> > on member - smbubu48:
> > ---------------------
> > sudo testparm -s
> > 
> > Load smb config files from /etc/samba/smb.conf
> > Loaded services file OK.
> > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> > fallback)
> > 
> > Server role: ROLE_DOMAIN_MEMBER
> > 
> > # Global parameters
> > [global]
> > kdc enable fast = No
> > realm = OFFICE.COMPANY.COM
> > security = DOMAIN
> > server role = member server
> > template shell = /bin/bash
> > winbind enum groups = Yes
> > winbind enum users = Yes
> > winbind rpc only = Yes
> > winbind use default domain = Yes
> > workgroup = OFFICE
> > idmap config office : unix_primary_group = yes
> > idmap config office : unix_nss_info = yes
> > idmap config office : range = 1000-9999
> > idmap config office : schema_mode = rfc2307
> > idmap config office : backend = ad
> > idmap config * : range = 10000-19999
> > idmap config * : backend = tdb
> > map acl inherit = Yes
> > vfs objects = acl_xattr
> > 
> > 
> > [homes]
> > comment = Home Directories
> > inherit acls = Yes
> > read only = No
> > valid users = %S %D%w%S
> > 
> 
> same comments as the other Unix domain member.
> 
> If you use the 'ad' idmap backend', then the uidNumber & gidNumber
> attributes you add to AD will be used instead of the IDs allocated
> (on
> a first come basis) in idmap.ldb. However, they may not be used
> straight after you add them until you run 'net cache flush'.
> 
> Whatever Unix IDs you add to AD, the 'OFFICE' range in the Unix
> domain
> members must reflect this, so as you appear to have given Domain
> Users
> the gidNumber '513', the range line in your Unix domain members
> should
> look something like this:
> 
> idmap config office : range = 500-9999
> 
> Which will mean that you cannot have any local Unix users except for
> root, so what happens if something goes wrong with AD and you need to
> login as a local Unix user ?
> 
> I think you need to read this:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> Also has you do not seem to be using Unix home directories etc from
> AD,
> you might want to consider using the 'rid' idmap backend, that way
> you
> do not need to add anything extra to AD.
> 
> Rowland
>

More information about the samba mailing list