Jonathan Hunter
2016-Apr-26 21:48 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while
I had similar (ish) issues. Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of the above on my DC to resolve this. (Neither of which I /wanted/ to do.. but since switching over and running 'net cache flush' etc., the problem hasn't reoccurred) On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote:> Hi, > > using Samba 4.4.2, on the Samba AD server the users have their primary > group at 513 (domain users) but after a non-fixed time they get set to > 100, like: > > > [root at sambaserver:~]# id john > uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) > groups=513(DOMAIN\domain users),1013(DOMAIN\sales) > > <few minutes> > > [root at sambaserver:~]# id john > uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) > groups=513(DOMAIN\domain users),1013(DOMAIN\sales) > > <few minutes> > > [root at sambaserver:~]# id john > uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users) > groups=100(DOMAIN\domain users),1013(DOMAIN\sales) > > then when I "net cache flush" do: they're back at 513... only for a while. > > The Linux workstations always see the users at 513, this only happens on > the Samba server itself. This can happen with intervals of a few > minutes, but I've also seen it being "stable" for a few hours. > > any ideas? > > thanks, > > Gerben > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Gerben Roest
2016-Apr-28 20:20 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while
On 26-04-16 23:48, Jonathan Hunter wrote:> I had similar (ish) issues. > > Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of > the above on my DC to resolve this. (Neither of which I /wanted/ to do.. > but since switching over and running 'net cache flush' etc., the problem > hasn't reoccurred)Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to samba4 + AD, and I have found out that using: net ads search "(SAMAccountName=someuser)"|egrep 'name|primaryGroupID|gidNumber for all migrated users their primaryGroupID was set to 513, and their gidNumber was set to 100. Adding a new user using Microsoft's RSAT this new user doesn't have a "gidNumber" setting. I suspect this setting to somehow cause samba to think that "Domain Users" is 100. I have removed via RSAT the settings of gidNumber for all active users, and I hope that will fix it. Gerben> > On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote: > >> Hi, >> >> using Samba 4.4.2, on the Samba AD server the users have their primary >> group at 513 (domain users) but after a non-fixed time they get set to >> 100, like: >> >> >> [root at sambaserver:~]# id john >> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >> >> <few minutes> >> >> [root at sambaserver:~]# id john >> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >> >> <few minutes> >> >> [root at sambaserver:~]# id john >> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users) >> groups=100(DOMAIN\domain users),1013(DOMAIN\sales) >> >> then when I "net cache flush" do: they're back at 513... only for a while. >> >> The Linux workstations always see the users at 513, this only happens on >> the Samba server itself. This can happen with intervals of a few >> minutes, but I've also seen it being "stable" for a few hours. >> >> any ideas? >> >> thanks, >> >> Gerben >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > >-- Grep IT tel: 0252-769005 Egelantier 3 fax: 0252-769006 2211 NN Noordwijkerhout g.roest at grepit.nl The Netherlands www.grepit.nl
Gerben Roest
2016-Apr-28 22:12 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while
I did some experimenting on my raspberry pi with samba-4.4.2 as AD
server (fresh install, no upgrade), and adding a new user:
samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash
and then checking it:
root at pi6lan:/etc# wbinfo -i grepit
ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash
root at pi6lan:/etc# id grepit
uid=3000017(ROEST\grepit) gid=100(users)
groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users)
my new user's primary group is 100 ! Why?
My smb.conf is really basic:
[global]
netbios name = PI6LAN
realm = ROEST.INTERN
workgroup = ROEST
dns forwarder = 192.168.13.253
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513
primaryGroupID: 513
gidNumber: 513
I'm really curious why this new user is set to primary group 100. It
appears not to be caused by samba ad, right?
thanks
Gerben
On 28-04-16 22:20, Gerben Roest wrote:> On 26-04-16 23:48, Jonathan Hunter wrote:
>> I had similar (ish) issues.
>>
>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both
of
>> the above on my DC to resolve this. (Neither of which I /wanted/ to
do..
>> but since switching over and running 'net cache flush' etc.,
the problem
>> hasn't reoccurred)
>
> Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to
> samba4 + AD, and I have found out that using:
>
> net ads search "(SAMAccountName=someuser)"|egrep
> 'name|primaryGroupID|gidNumber
>
> for all migrated users their primaryGroupID was set to 513, and their
> gidNumber was set to 100.
>
> Adding a new user using Microsoft's RSAT this new user doesn't have
a
> "gidNumber" setting. I suspect this setting to somehow cause
samba to
> think that "Domain Users" is 100.
>
> I have removed via RSAT the settings of gidNumber for all active users,
> and I hope that will fix it.
>
> Gerben
>
>>
>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl>
wrote:
>>
>>> Hi,
>>>
>>> using Samba 4.4.2, on the Samba AD server the users have their
primary
>>> group at 513 (domain users) but after a non-fixed time they get set
to
>>> 100, like:
>>>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> <few minutes>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> <few minutes>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users)
>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> then when I "net cache flush" do: they're back at
513... only for a while.
>>>
>>> The Linux workstations always see the users at 513, this only
happens on
>>> the Samba server itself. This can happen with intervals of a few
>>> minutes, but I've also seen it being "stable" for a
few hours.
>>>
>>> any ideas?
>>>
>>> thanks,
>>>
>>> Gerben
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>
>
--
Grep IT tel: 0252-769005
Egelantier 3 fax: 0252-769006
2211 NN Noordwijkerhout g.roest at grepit.nl
The Netherlands www.grepit.nl
Seemingly Similar Threads
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while [SOLVED]
- Samba 4.4.2 as AD server: clients OK but server fails "wbinfo -K"