Christoph Peus
2007-Mar-24 10:14 UTC
[Samba] winbind: BUILTIN\users group gid 1001 conflict
Hi everybody,
I've joined a fileserver running samba 3.0.24 to an AD domain using
winbind and noticed that samba maps the "users" group SID
(5-1-5-32-545)
to gid 1001 automatically. This seems to conflict with one of ~2000
mappings I had to "inject" in winbinds winbindd_idmap.tdb by use of
net
idmap dump/restore, because the fileserver had millions of files with
certain uid/gid ownership from a local passwd/group before I did the
"net ads join". The gid 1001 was allocated to the group
"nawi" in
/etc/group before.
I'm unsure now which problems could be caused by this regarding security.
Is it possible - and usefull - to change this mapping to get a
"BUILTIN\users" group as expected?
Thanks!
Regards
Christoph
lunkwill / # net groupmap list -v
Administrators
SID : S-1-5-32-544
Unix gid : 1000
Unix group: BUILTIN\administrators
Group type: Local Group
Comment :
Users
SID : S-1-5-32-545
Unix gid : 1001
Unix group: nawi
Group type: Local Group
Comment :
Sez Christoph Peus:> Hi everybody, > > I've joined a fileserver running samba 3.0.24 to an AD domain using > winbind and noticed that samba maps the "users" group SID (5-1-5-32-545) > to gid 1001 automatically. This seems to conflict with one of ~2000 > mappings I had to "inject" in winbinds winbindd_idmap.tdb by use of net > idmap dump/restore, because the fileserver had millions of files with > certain uid/gid ownership from a local passwd/group before I did the > "net ads join". The gid 1001 was allocated to the group "nawi" in > /etc/group before. > I'm unsure now which problems could be caused by this regarding security. > Is it possible - and usefull - to change this mapping to get a > "BUILTIN\users" group as expected? > Thanks!Have you checked the "idmap" settings in your smb.conf? In particular, "idmap uid" and "idmap gid" specify the range of uid/gid values used to map to SIDs.