[Samba] primary group for AD accounts

Rowland Penny rpenny at samba.org
Sat Jun 22 18:26:06 UTC 2024 

On Sat, 22 Jun 2024 20:12:14 +0200
PaLi via samba <samba at lists.samba.org> wrote:

> Hi
> 
> I've just recreated whole environment and after DC provision
>  group "domain users" has gid 100
> 
> getent passwd
> OFFICE\administrator:*:0:100::/home/OFFICE/administrator:/bin/bash
> OFFICE\guest:*:3000011:3000012::/home/OFFICE/guest:/bin/bash
> OFFICE\krbtgt:*:3000015:100::/home/OFFICE/krbtgt:/bin/bash
> OFFICE\dhcpduser:*:3000016:100::/home/OFFICE/dhcpduser:/bin/bash
> 
> getent group
> ...
> BUILTIN\administrators:x:3000000:
> BUILTIN\users:x:3000001:
> BUILTIN\guests:x:3000002:
> BUILTIN\account operators:x:3000009:
> BUILTIN\server operators:x:3000010:
> BUILTIN\print operators:x:3000011:
> BUILTIN\backup operators:x:3000012:
> BUILTIN\replicator:x:3000013:
> BUILTIN\pre-windows 2000 compatible access:x:3000014:
> BUILTIN\remote desktop users:x:3000015:
> BUILTIN\network configuration operators:x:3000016:
> BUILTIN\incoming forest trust builders:x:3000017:
> BUILTIN\performance monitor users:x:3000018:
> BUILTIN\performance log users:x:3000019:
> BUILTIN\windows authorization access group:x:3000020:
> BUILTIN\terminal server license servers:x:3000021:
> BUILTIN\distributed com users:x:3000022:
> BUILTIN\iis_iusrs:x:3000023:
> BUILTIN\cryptographic operators:x:3000024:
> BUILTIN\event log readers:x:3000025:
> BUILTIN\certificate service dcom access:x:3000026:
> OFFICE\cert publishers:x:3000027:
> OFFICE\ras and ias servers:x:3000028:
> OFFICE\allowed rodc password replication group:x:3000029:
> OFFICE\denied rodc password replication group:x:3000030:
> OFFICE\dnsadmins:x:3000031:
> OFFICE\enterprise read-only domain controllers:x:3000032:
> OFFICE\domain admins:x:3000033:
> OFFICE\domain users:x:100:
> OFFICE\domain guests:x:3000004:
> OFFICE\domain computers:x:3000034:
> OFFICE\domain controllers:x:3000035:
> OFFICE\schema admins:x:3000036:
> OFFICE\enterprise admins:x:3000037:
> OFFICE\group policy creator owners:x:3000038:
> OFFICE\read-only domain controllers:x:3000039:
> OFFICE\protected users:x:3000040:
> OFFICE\dnsupdateproxy:x:3000041:
> 
> 
> Can somebody explain me:
> Is this intended configuration (normal behaviour) 

Yes, but only on a Samba AD DC
> or is there
> something wrong?

No, but again, only on a DC.

This is from idmap.ldb on one of my DCs:

dn: CN=S-1-5-21-627072207-2265849604-124128874-513
cn: S-1-5-21-627072207-2265849604-124128874-513
objectClass: sidMap
objectSid: S-1-5-21-627072207-2265849604-124128874-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-513

> 
> Now I remebered why I've tried change it to something known to me
> (gid: 513)

Why such a low number (which is actually the RID).

Rowland

More information about the samba mailing list