On 17/10/2022 04:25, Peter Carlson via samba wrote:> I have a setup with about a dozen windows machines, and 4 ubuntu servers
> their names are fairly obvious:
> ?? ?NC1 is the domain controler, filesvr is a file server joined to the
> domain, xrdp is a rdp server also joined to the domain that mounts the
> file server shares, and middleware is a non joined standalone server a
> the moment.
>
> I seem to have something wrong in my group SIDs:
>
> root at filesvr:/data# ls -l BinaryData/
> drwxr-xr-x? 2 SDCP\peter 2000513??? 4096 Sep 30 15:45 2010
>
> root at filesvr:/data# ls -l Ca****nt-Accounting/
> -rwxrwx---+? 1 SDCP\peter SDCP\accounting??? 105984 May 16 2011
> 05.15.11.xls
>
> On the file server I get errors on login:
> groups: cannot find name for group ID 2000513
> groups: cannot find name for group ID 2000512
They are definitely Domain Users & Domain Admins (RID 513 and 512)
>
> and it cant' find all the groups while the rdp server can
No, that is wrong, if you look closely, the rdp server is missing two
groups but the fileserver is showing two groups by ID only (not by name)
> SDCP\peter at filesvr:~$ id
> uid=2001110(SDCP\peter) gid=2000513
>
groups=2000513,10000(BUILTIN\administrators),10001(BUILTIN\users),2000512,2000572(SDCP\denied
rodc password replication group),2001110(SDCP\peter),2001118(SDCP\linux
admins),2001136(SDCP\remotedesktop)
>
> SDCP\peter at xrdp:~$ id
> uid=2001110(SDCP\peter) gid=2000513(SDCP\domain users)
> groups=2000513(SDCP\domain users),2000512(SDCP\domain
> admins),2000572(SDCP\denied rodc password replication
> group),2001110(SDCP\peter),2001118(SDCP\linux
> admins),2001136(SDCP\remotedesktop)
>
> ---------------------------------- DC
> ---------------------------------------------------------
> # Global parameters
> [global]
> ?? ?netbios name = NC1
> ?? ?realm = SA****NT.LOCAL
> ?? ?server role = active directory domain controller
> ?? ?server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> ?? ?workgroup = SDCP
> ?? ?idmap_ldb:use rfc2307 = yes
>
> [sysvol]
> ?? ?path = /var/lib/samba/sysvol
> ?? ?read only = No
>
> [netlogon]
> ?? ?path = /var/lib/samba/sysvol/sa****nt.local/scripts
> ?? ?read only = No
>
I really do hope '.local' is sanitising, if not, turn off Avahi and
Bonjour everywhere.
>
> ----------------------------------? xRDP
> ------------------------------------------------------
> xRDP Server - not a file server, smbd is not running
So no shares, just authentication.
> [global]
> server role = standalone server
Wrong: This is not a standalone server, I suggest you remove that line.
> template homedir = /home/%U@%D
> template shell = /bin/bash
> usershare allow guests = yes
If this authentication only, why allow usershares at all ?
> kerberos method = secrets and keytab
> realm = SA****NT.LOCAL
> workgroup = SDCP
> security = ads
> idmap config SDCP : range = 2000000-2999999
> idmap config SDCP : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> ------------------------------------ File Server
> ---------------------------------------------
> [global]
> server role = standalone server
again wrong, see above
> template homedir = /home/%U@%D
> template shell = /bin/bash
> usershare allow guests = yes
> kerberos method = secrets and keytab
> realm = SA****NT.LOCAL
> workgroup = SDCP
> security = ads
> idmap config SDCP : range = 2000000-2999999
> idmap config SDCP : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> vfs objects = acl_xattr
> map acl inherit = yes
>
> #======================= Share Definitions ======================>
[BinaryData]
> ??? path = /data/BinaryData
> ??? comment = Store for DB and Middleware
> ??? writable = yes
>
> [Ca****nt-Accounting]
> ??? path = /data/Ca****nt-Accounting
> ??? comment = Accounting Files
> ??? writable = yes
>
I can see no reason why two groups cannot be identified, try running
'net cache flush' on the fileserver and see if that helps.
Rowland