Jonathan Hunter
2016-Apr-26 21:48 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while
I had similar (ish) issues. Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of the above on my DC to resolve this. (Neither of which I /wanted/ to do.. but since switching over and running 'net cache flush' etc., the problem hasn't reoccurred) On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote:> Hi, > > using Samba 4.4.2, on the Samba AD server the users have their primary > group at 513 (domain users) but after a non-fixed time they get set to > 100, like: > > > [root at sambaserver:~]# id john > uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) > groups=513(DOMAIN\domain users),1013(DOMAIN\sales) > > <few minutes> > > [root at sambaserver:~]# id john > uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) > groups=513(DOMAIN\domain users),1013(DOMAIN\sales) > > <few minutes> > > [root at sambaserver:~]# id john > uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users) > groups=100(DOMAIN\domain users),1013(DOMAIN\sales) > > then when I "net cache flush" do: they're back at 513... only for a while. > > The Linux workstations always see the users at 513, this only happens on > the Samba server itself. This can happen with intervals of a few > minutes, but I've also seen it being "stable" for a few hours. > > any ideas? > > thanks, > > Gerben > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Gerben Roest
2016-Apr-28 20:20 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while
On 26-04-16 23:48, Jonathan Hunter wrote:> I had similar (ish) issues. > > Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of > the above on my DC to resolve this. (Neither of which I /wanted/ to do.. > but since switching over and running 'net cache flush' etc., the problem > hasn't reoccurred)Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to samba4 + AD, and I have found out that using: net ads search "(SAMAccountName=someuser)"|egrep 'name|primaryGroupID|gidNumber for all migrated users their primaryGroupID was set to 513, and their gidNumber was set to 100. Adding a new user using Microsoft's RSAT this new user doesn't have a "gidNumber" setting. I suspect this setting to somehow cause samba to think that "Domain Users" is 100. I have removed via RSAT the settings of gidNumber for all active users, and I hope that will fix it. Gerben> > On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote: > >> Hi, >> >> using Samba 4.4.2, on the Samba AD server the users have their primary >> group at 513 (domain users) but after a non-fixed time they get set to >> 100, like: >> >> >> [root at sambaserver:~]# id john >> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >> >> <few minutes> >> >> [root at sambaserver:~]# id john >> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >> >> <few minutes> >> >> [root at sambaserver:~]# id john >> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users) >> groups=100(DOMAIN\domain users),1013(DOMAIN\sales) >> >> then when I "net cache flush" do: they're back at 513... only for a while. >> >> The Linux workstations always see the users at 513, this only happens on >> the Samba server itself. This can happen with intervals of a few >> minutes, but I've also seen it being "stable" for a few hours. >> >> any ideas? >> >> thanks, >> >> Gerben >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > >-- Grep IT tel: 0252-769005 Egelantier 3 fax: 0252-769006 2211 NN Noordwijkerhout g.roest at grepit.nl The Netherlands www.grepit.nl
Gerben Roest
2016-Apr-28 22:12 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while
I did some experimenting on my raspberry pi with samba-4.4.2 as AD server (fresh install, no upgrade), and adding a new user: samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash and then checking it: root at pi6lan:/etc# wbinfo -i grepit ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash root at pi6lan:/etc# id grepit uid=3000017(ROEST\grepit) gid=100(users) groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users) my new user's primary group is 100 ! Why? My smb.conf is really basic: [global] netbios name = PI6LAN realm = ROEST.INTERN workgroup = ROEST dns forwarder = 192.168.13.253 server role = active directory domain controller idmap_ldb:use rfc2307 = yes template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513 primaryGroupID: 513 gidNumber: 513 I'm really curious why this new user is set to primary group 100. It appears not to be caused by samba ad, right? thanks Gerben On 28-04-16 22:20, Gerben Roest wrote:> On 26-04-16 23:48, Jonathan Hunter wrote: >> I had similar (ish) issues. >> >> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of >> the above on my DC to resolve this. (Neither of which I /wanted/ to do.. >> but since switching over and running 'net cache flush' etc., the problem >> hasn't reoccurred) > > Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to > samba4 + AD, and I have found out that using: > > net ads search "(SAMAccountName=someuser)"|egrep > 'name|primaryGroupID|gidNumber > > for all migrated users their primaryGroupID was set to 513, and their > gidNumber was set to 100. > > Adding a new user using Microsoft's RSAT this new user doesn't have a > "gidNumber" setting. I suspect this setting to somehow cause samba to > think that "Domain Users" is 100. > > I have removed via RSAT the settings of gidNumber for all active users, > and I hope that will fix it. > > Gerben > >> >> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote: >> >>> Hi, >>> >>> using Samba 4.4.2, on the Samba AD server the users have their primary >>> group at 513 (domain users) but after a non-fixed time they get set to >>> 100, like: >>> >>> >>> [root at sambaserver:~]# id john >>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >>> >>> <few minutes> >>> >>> [root at sambaserver:~]# id john >>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >>> >>> <few minutes> >>> >>> [root at sambaserver:~]# id john >>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users) >>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales) >>> >>> then when I "net cache flush" do: they're back at 513... only for a while. >>> >>> The Linux workstations always see the users at 513, this only happens on >>> the Samba server itself. This can happen with intervals of a few >>> minutes, but I've also seen it being "stable" for a few hours. >>> >>> any ideas? >>> >>> thanks, >>> >>> Gerben >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> > >-- Grep IT tel: 0252-769005 Egelantier 3 fax: 0252-769006 2211 NN Noordwijkerhout g.roest at grepit.nl The Netherlands www.grepit.nl
Reasonably Related Threads
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while [SOLVED]
- Samba 4.4.2 as AD server: clients OK but server fails "wbinfo -K"