[Samba] Very strange: Samba is unable to access one of its own files
Rowland Penny
rpenny at samba.org
Fri Nov 15 16:05:48 UTC 2024
On Fri, 15 Nov 2024 10:18:53 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/14/24 11:35, Rowland Penny via samba wrote:
> > ... I suggest you set a gidNumber on Domain Users, just in
> > case you decide to run a Unix domain member in future with the 'ad'
> > idmap backend.
> >
> > This is from one of my DCs with 'template shell = /bin/bash' set:
> >
> > adminuser at tmpdc1:~ $ getent passwd rowland
> > SAMDOM\rowland:*:3000020:100:Rowland
> > Penny:/home/SAMDOM/rowland:/bin/bash
>
> Does this mean that you do not have a GID=100 group in your tmpdc1
> /etc/groups file, thus it can be used as the "Domain Users" GID?
Yes and no ;-)
Samba, on a DC, automatically maps three users/groups to Unix system
users/groups
Administrator, RID 500 is mapped to '0', aka 'root'
ANONYMOUS, SID S-1-5-7 is mapped to '65534', aka 'guest'
Domain Users, RID 513 is mapped to '100', aka 'users'
I do not use the 'ad' idmap backend on Unix domain members, I use the
'rid' idmap backend, this calculates the Unix IDs from the RID + the
low range set in the smb.conf file, in my case 10000
So the '100' you see on a DC becomes:
513 + 1000 = 10513
on a Unix domain member:
getent group Domain\ Users
domain users:x:10513
While on a DC< i get this:
getent group Domain\ Users
SAMDOM\domain users:x:100:
>
> Is it correct to use
>
> ldbedit -H /var/lib/samba/private/sam.ldb
> '(sAMAccountName=Domain Users)'
>
> to add the gidNumber?
Yes, another way would be to use samba-tool:
samba-tool group addunixattrs --help
Just run the above command for information how to use it.
Rowland
More information about the samba
mailing list