thr3ads.net - samba - [Samba] Sysvol issues after DC migration [Mar 2021]

If this information is useful, please help other people find it:
Share via:

Oleg Blyahher

2021-Mar-15 17:32 UTC

[Samba] Sysvol issues after DC migration

No, it currently has the gidNumber 544 (checked by running samba-tool 
group edit Administrators).

What gid should it have otherwise? Something in the 5000-6000 range?

Oleg

On 2021-03-15 18:17, Rowland penny via samba wrote:> On 15/03/2021 16:34, Oleg Blyahher via samba wrote:
>> So sorry!
>>
>> Version 4.12.10-Debian on Debian 10.
>>
>> Yes, it does:
>>
>> # wbinfo -s S-1-5-32-544 BUILTIN\Administrators 4
>
>
> Have you given the 'Administrators' group a gidNumber ?
>
> Rowland
>
>
>

Rowland penny

2021-Mar-15 17:53 UTC

head link

[Samba] Sysvol issues after DC migration

On 15/03/2021 17:32, Oleg Blyahher via samba wrote:> No, it currently has the gidNumber 544 (checked by running samba-tool 
> group edit Administrators).
>
> What gid should it have otherwise? Something in the 5000-6000 range?

Perhaps I should have said "does the 'Administrators' group have a 
gidNumber".

So, in the Administrators object in AD there is this line:

gidNumber: 544

If so, edit the group again and remove that line, 'Administrators' 
should not have a gidNumber, it just turns 'Administrators' into a 
group. You aare probably now thinking 'What' ? Administrators is a 
group, well yes, but it is a Windows group and Windows groups can 'own' 
things like a user, something that doesn't happen on Unix. To allow this 
on a Samba DC (Administrators has to own things in Sysvol), groups are 
mapped to 'ID_TYPE_BOTH' in idmap.ldb, giving a group a gidNumber breaks
this.

This applies to all the groups in the 'Well Known SIDs' (basicaly the 
groups created by a provision), apart from Domain Users.

Rowland

samba - Mar 2021 - Sysvol issues after DC migration

[Samba] Sysvol issues after DC migration

[Samba] Sysvol issues after DC migration