On 01/03/2023 14:59, d tbsky via samba wrote:> Hi:
> I want to convert our samba file server from rfc2307 to rid backend.
> the configuration looks like:
>
> idmap config *:backend = tdb
> idmap config *:range = 5000-9999
> idmap config SAMDOM:backend = rid
> idmap config SAMDOM:range = 10000-999999
> idmap config SAMDOM:unix_primary_group = yes
>
> Most things work fine. normal user-id and group-id changed. so we
> change owners and acls to correct new id, then the file server works
> as usual.
>
> but now there are new windows users/groups which we didn't set rfc2307
> attributes before coming to our file server. "domain users" is
fine.
> in windows we can also see accounts belonging to "domain users".
and
> "domain users" also get a new gid correctly under linux.
I am willing to bet that Domain users now has the GID 10513
>
> What confuses me is the "BUILTIN\users" group. Now with command
"id
> my-account" I can see my account also belongs to the
"BUILTIN\users"
> group.
> and the group id is "1000032" which is outside my new
configuration range.
> I didn't see that group under rfc2307 backend before. but I know the
> "1000032" id comes from my old config, which has "idmap
config *:range
> = 1000000-1999999".
It was probably coming from the winbind cache and should have bee
cleared by running 'net cache flush' or by restarting Samba, or at the
worst, rebooting.
> After some trying I finally got rid of "1000032" by deleting
> "group_mapping.tdb" and let samba recreate it to get the new id
under
> "5000-9999".
I cannot recommend deleting files like that.
>
> I want to know more about how samba deals with these special groups.
> There is little information at wiki. After searching the email list, I
> found some discussion that only
"Administrators","Guests","Users"
> Builtin groups are mapped under samba.
> Is there more information about how sambe handles these special groups?
>
If you run 'wbinfo --all-domains' you should get something like this
BUILTIN
THE_COMPUTERS_HOSTNAME
SAMDOM
Samba when running as a Unix domain member seem to ignore the middle one.
The 'SAMDOM' domain ID's are set via the 'idmap config
SAMDOM' lines in
smb.conf and as you are now using the rid idmap backend, they are
calculated like this:
ID = RID + low range number
So in your case:
ID = RID + 10000
So coming back to Domain Users (which has the RID 513):
10513 = 513 + 10513
This means that anything in AD that is a member of the 'SAMDOM' domain
will get an ID.
NOTE: just as an aside, because you are now using the rid idmap backend,
you now have synthetic usergroups, the user 'fred' will have a group
called 'fred'.
Try it: 'getent group fred'
The BUILTIN domain is fairly small and is handled by the default domain
'*' and ID's are allocated from the range set in smb.conf. These
ID's
are not guaranteed to be the same on each Unix domain member, which
isn't a problem because they are only used for administrative purposes.
The default domain is meant for the BUILTIN domain and anything that
isn't in the main 'SAMDOM', which is why everything ends up in the
default domain if you really mess up the main domain.
Rowland