[Samba] Reported group membership is different between domain member and Samba ADC
Rowland Penny
rpenny at samba.org
Sat Feb 15 14:55:35 UTC 2025
On Sat, 15 Feb 2025 08:37:38 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 2/14/25 15:01, Rowland Penny via samba wrote:
> > On Fri, 14 Feb 2025 12:14:18 -0500
> > "John R. Graham via samba"<samba at lists.samba.org> wrote:
> > On 2/14/25 11:22, Rowland Penny via samba wrote:
> >> So, for an undiagnosed reason, the effective domain membership does
> >> not include "domain admins" either.
> >>
> >> - John
> > OK, I will diagnose it ;-)
> >
> > open a terminal on the DC, enter 'man smb.conf', press enter and
> > then go to 'winbind expand groups', read that, it will explain why
> > you are not getting any group members.
> >
> > Rowland
>
> Ah. Thank you! On my domain controller "getent" now behaves as you
> predicted:
>
> dc1 ~ # getent group 'SAMDOM\domain admins'
> SAMDOM\domain
> admins:x:3000000:SAMDOM\administrator,SAMDOM\jgraham dc1 ~ # getent
> group SAMDOM\\wheel SAMDOM\wheel:x:11120:SAMDOM\jgraham
>
> and "su -" now works but "sudo su -" is still broken on my domain
> controller; both work on my domain members. Interestingly, "id" still
> doesn't report correct group membership on the DC but does on domain
> members. I'll look into what's different at the API level and report
> back.
>
> - John
First, why do you need to use 'su', I never do, I just use 'sudo
<command>'
There are differences between DCs and Unix domain members. DCs use
idmap.ldb and Unix domain members use 'idmap_***' where the '***' can
any of the idmap backends, but usually ad, rid or autorid.
On a DC, if you have 'idmap_ldb:use rfc2307 = yes' in the smb.conf
then running 'id' or 'getent' will return any uidNumber or gidNumber
attributes in AD, otherwise the xidNumber attributes allocated in
idmap.ldb (numbers in the '3000000' range) are returned. there are
three exceptions, the Administrator and guest users, which get the UIDs
'0' & '65534' (which are 'root' & 'nobody') and the Domain Users group
which gets GID '100' ('users').
On a Unix domain member, what gets returned depends on the idmap
backend used. If you use the 'ad' backend, you will get the values you
set in the uidNumber & gidNumber attributes in AD. If the 'rid' or
'autorid' backends are used, the IDs are calculated from the RID.
There is one 'gotcha' if using the 'ad' backend, never give 'Domain
Admins' a gidNumber attribute, it turns it into a Unix group. Now you
may think that is strange, but a Windows group can do something that a
Unix group cannot, it can own files & folders and Domain Admins must
own things in sysvol and turning the Windows group 'Domain Admins' into
the Unix group 'Domain Admins' stops that.
You do not need to use the same backend on all domain members, Samba
maps Windows SIDs to local Unix IDs.
I hope that helps.
Rowland
More information about the samba
mailing list