Jeff Sadowski
2016-Apr-26 17:44 UTC
[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-) So many things work better * I can now sudo without having to newgrp first * I can now run id and get a list of all groups I am in * I can now run getent group and get a list of the domain groups but I now have two unexpected groups running the following I get id | sed 's/,/\n/g' | sort > id_without.txt id $USER | sed 's/,/\n/g' | sort > id_with.txt diff id_without.txt id_with.txt 12a13,14> 2000(BUILTIN\administrators) > 2001(BUILTIN\users)2000 and 2001? where did these come from? my domain groups start at 8000 I have powerbroker which I use on this domain and I can easily check which groups have ids and 8000 is as low as they go when I sort them. My domain admin does not have a gid my domain users does and I see it in both listings Here is my smb.conf [global] security = ads realm = SUBDOMAIN.DOMAIN.TLD workgroup = SUBDOMAIN idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config SUBDOMAIN:backend = ad idmap config SUBDOMAIN:schema_mode = rfc2307 idmap config SUBDOMAIN:range = 8000-9999999 winbind nss info = rfc2307 winbind use default domain = yes # so that the users show up in getent winbind enum users = yes # so that the groups show up in getent winbind enum groups = yes restrict anonymous = 2 #added the following 2 for the Badlock updates that change the defaults #to no longer work with my domain controllers ldap server require strong auth = no client ldap sasl wrapping = plain
Jeff Sadowski
2016-Apr-26 17:52 UTC
[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
More interesting on some machines I upgraded to 16.04 the difference isn't there between the 2 ways of running id but those 2 groups are listed in each. On Tue, Apr 26, 2016 at 11:44 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-) > > So many things work better > > * I can now sudo without having to newgrp first > * I can now run id and get a list of all groups I am in > * I can now run getent group and get a list of the domain groups > > but I now have two unexpected groups > > running the following I get > > id | sed 's/,/\n/g' | sort > id_without.txt > id $USER | sed 's/,/\n/g' | sort > id_with.txt > diff id_without.txt id_with.txt > 12a13,14 > > 2000(BUILTIN\administrators) > > 2001(BUILTIN\users) > > 2000 and 2001? > where did these come from? > my domain groups start at 8000 > I have powerbroker which I use on this domain and I can easily check which > groups have ids and 8000 is as low as they go when I sort them. > My domain admin does not have a gid > my domain users does and I see it in both listings > > Here is my smb.conf > > [global] > security = ads > realm = SUBDOMAIN.DOMAIN.TLD > workgroup = SUBDOMAIN > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config SUBDOMAIN:backend = ad > idmap config SUBDOMAIN:schema_mode = rfc2307 > idmap config SUBDOMAIN:range = 8000-9999999 > winbind nss info = rfc2307 > winbind use default domain = yes > # so that the users show up in getent > winbind enum users = yes > # so that the groups show up in getent > winbind enum groups = yes > restrict anonymous = 2 > #added the following 2 for the Badlock updates that change the defaults > #to no longer work with my domain controllers > ldap server require strong auth = no > client ldap sasl wrapping = plain > >
Rowland penny
2016-Apr-26 18:32 UTC
[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
On 26/04/16 18:44, Jeff Sadowski wrote:> So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-) > > So many things work better > > * I can now sudo without having to newgrp first > * I can now run id and get a list of all groups I am in > * I can now run getent group and get a list of the domain groups > > but I now have two unexpected groups > > running the following I get > > id | sed 's/,/\n/g' | sort > id_without.txt > id $USER | sed 's/,/\n/g' | sort > id_with.txt > diff id_without.txt id_with.txt > 12a13,14 >> 2000(BUILTIN\administrators) >> 2001(BUILTIN\users) > 2000 and 2001? > where did these come from? > my domain groups start at 8000 > I have powerbroker which I use on this domain and I can easily check which > groups have ids and 8000 is as low as they go when I sort them. > My domain admin does not have a gid > my domain users does and I see it in both listings > > Here is my smb.conf > > [global] > security = ads > realm = SUBDOMAIN.DOMAIN.TLD > workgroup = SUBDOMAIN > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config SUBDOMAIN:backend = ad > idmap config SUBDOMAIN:schema_mode = rfc2307 > idmap config SUBDOMAIN:range = 8000-9999999 > winbind nss info = rfc2307 > winbind use default domain = yes > # so that the users show up in getent > winbind enum users = yes > # so that the groups show up in getent > winbind enum groups = yes > restrict anonymous = 2 > #added the following 2 for the Badlock updates that change the defaults > #to no longer work with my domain controllers > ldap server require strong auth = no > client ldap sasl wrapping = plainYour two new groups (not that are really new) come from here: idmap config * : range = 2000-7999 Rowland
Jeff Sadowski
2016-Apr-26 19:41 UTC
[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
I think I know then. Are those groups from a local samba database? I might have deleted it in the past and when the upgrade took place it may have replaced it. On Tue, Apr 26, 2016 at 12:32 PM, Rowland penny <rpenny at samba.org> wrote:> On 26/04/16 18:44, Jeff Sadowski wrote: > >> So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-) >> >> So many things work better >> >> * I can now sudo without having to newgrp first >> * I can now run id and get a list of all groups I am in >> * I can now run getent group and get a list of the domain groups >> >> but I now have two unexpected groups >> >> running the following I get >> >> id | sed 's/,/\n/g' | sort > id_without.txt >> id $USER | sed 's/,/\n/g' | sort > id_with.txt >> diff id_without.txt id_with.txt >> 12a13,14 >> >>> 2000(BUILTIN\administrators) >>> 2001(BUILTIN\users) >>> >> 2000 and 2001? >> where did these come from? >> my domain groups start at 8000 >> I have powerbroker which I use on this domain and I can easily check which >> groups have ids and 8000 is as low as they go when I sort them. >> My domain admin does not have a gid >> my domain users does and I see it in both listings >> >> Here is my smb.conf >> >> [global] >> security = ads >> realm = SUBDOMAIN.DOMAIN.TLD >> workgroup = SUBDOMAIN >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config SUBDOMAIN:backend = ad >> idmap config SUBDOMAIN:schema_mode = rfc2307 >> idmap config SUBDOMAIN:range = 8000-9999999 >> winbind nss info = rfc2307 >> winbind use default domain = yes >> # so that the users show up in getent >> winbind enum users = yes >> # so that the groups show up in getent >> winbind enum groups = yes >> restrict anonymous = 2 >> #added the following 2 for the Badlock updates that change the >> defaults >> #to no longer work with my domain controllers >> ldap server require strong auth = no >> client ldap sasl wrapping = plain >> > > Your two new groups (not that are really new) come from here: > > idmap config * : range = 2000-7999 > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
- unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
- unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?
- Adding an AD group to /etc/sudoers?
- winbind rfc2307 not being obeyed