[Samba] Very strange: Samba is unable to access one of its own files

Rowland Penny rpenny at samba.org
Fri Nov 15 16:05:48 UTC 2024


On Fri, 15 Nov 2024 10:18:53 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:

> On 11/14/24 11:35, Rowland Penny via samba wrote:
> > ... I suggest you set a gidNumber on Domain Users, just in
> > case you decide to run a Unix domain member in future with the 'ad'
> > idmap backend.
> >
> > This is from one of my DCs with 'template shell = /bin/bash' set:
> >
> > adminuser at tmpdc1:~ $ getent passwd rowland
> > SAMDOM\rowland:*:3000020:100:Rowland
> > Penny:/home/SAMDOM/rowland:/bin/bash
> 
> Does this mean that you do not have a GID=100 group in your tmpdc1 
> /etc/groups file, thus it can be used as the "Domain Users" GID?

Yes and no ;-)

Samba, on a DC, automatically maps three users/groups to Unix system
users/groups

Administrator, RID 500 is mapped to '0', aka 'root'
ANONYMOUS, SID S-1-5-7 is mapped to '65534', aka 'guest'
Domain Users, RID 513 is mapped to '100', aka 'users'

I do not use the 'ad' idmap backend on Unix domain members, I use the
'rid' idmap backend, this calculates the Unix IDs from the RID + the
low range set in the smb.conf file, in my case 10000

So the '100' you see on a DC becomes:

513 + 1000 = 10513

on a Unix domain member:
getent group Domain\ Users
domain users:x:10513

While on a DC< i get this:

getent group Domain\ Users
SAMDOM\domain users:x:100:

> 
> Is it correct to use
> 
>       ldbedit -H /var/lib/samba/private/sam.ldb
> '(sAMAccountName=Domain Users)'
> 
> to add the gidNumber?

Yes, another way would be to use samba-tool:

samba-tool group addunixattrs --help

Just run the above command for information how to use it.

Rowland





More information about the samba mailing list