Gerben Roest
2016-Apr-28 22:12 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while
I did some experimenting on my raspberry pi with samba-4.4.2 as AD server (fresh install, no upgrade), and adding a new user: samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash and then checking it: root at pi6lan:/etc# wbinfo -i grepit ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash root at pi6lan:/etc# id grepit uid=3000017(ROEST\grepit) gid=100(users) groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users) my new user's primary group is 100 ! Why? My smb.conf is really basic: [global] netbios name = PI6LAN realm = ROEST.INTERN workgroup = ROEST dns forwarder = 192.168.13.253 server role = active directory domain controller idmap_ldb:use rfc2307 = yes template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513 primaryGroupID: 513 gidNumber: 513 I'm really curious why this new user is set to primary group 100. It appears not to be caused by samba ad, right? thanks Gerben On 28-04-16 22:20, Gerben Roest wrote:> On 26-04-16 23:48, Jonathan Hunter wrote: >> I had similar (ish) issues. >> >> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of >> the above on my DC to resolve this. (Neither of which I /wanted/ to do.. >> but since switching over and running 'net cache flush' etc., the problem >> hasn't reoccurred) > > Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to > samba4 + AD, and I have found out that using: > > net ads search "(SAMAccountName=someuser)"|egrep > 'name|primaryGroupID|gidNumber > > for all migrated users their primaryGroupID was set to 513, and their > gidNumber was set to 100. > > Adding a new user using Microsoft's RSAT this new user doesn't have a > "gidNumber" setting. I suspect this setting to somehow cause samba to > think that "Domain Users" is 100. > > I have removed via RSAT the settings of gidNumber for all active users, > and I hope that will fix it. > > Gerben > >> >> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote: >> >>> Hi, >>> >>> using Samba 4.4.2, on the Samba AD server the users have their primary >>> group at 513 (domain users) but after a non-fixed time they get set to >>> 100, like: >>> >>> >>> [root at sambaserver:~]# id john >>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >>> >>> <few minutes> >>> >>> [root at sambaserver:~]# id john >>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >>> >>> <few minutes> >>> >>> [root at sambaserver:~]# id john >>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users) >>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales) >>> >>> then when I "net cache flush" do: they're back at 513... only for a while. >>> >>> The Linux workstations always see the users at 513, this only happens on >>> the Samba server itself. This can happen with intervals of a few >>> minutes, but I've also seen it being "stable" for a few hours. >>> >>> any ideas? >>> >>> thanks, >>> >>> Gerben >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> > >-- Grep IT tel: 0252-769005 Egelantier 3 fax: 0252-769006 2211 NN Noordwijkerhout g.roest at grepit.nl The Netherlands www.grepit.nl
Rowland penny
2016-Apr-29 06:45 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while
On 28/04/16 23:12, Gerben Roest wrote:> I did some experimenting on my raspberry pi with samba-4.4.2 as AD > server (fresh install, no upgrade), and adding a new user: > > samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash > > and then checking it: > > root at pi6lan:/etc# wbinfo -i grepit > ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash > > root at pi6lan:/etc# id grepit > uid=3000017(ROEST\grepit) gid=100(users) > groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users) > > my new user's primary group is 100 ! Why? > > My smb.conf is really basic: > > [global] > netbios name = PI6LAN > realm = ROEST.INTERN > workgroup = ROEST > dns forwarder = 192.168.13.253 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > template shell = /bin/bash > template homedir = /home/%U > winbind use default domain = yes > > root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513 > primaryGroupID: 513 > gidNumber: 513 > > I'm really curious why this new user is set to primary group 100. It > appears not to be caused by samba ad, right? > > thanks > > Gerben > > > On 28-04-16 22:20, Gerben Roest wrote: >> On 26-04-16 23:48, Jonathan Hunter wrote: >>> I had similar (ish) issues. >>> >>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both of >>> the above on my DC to resolve this. (Neither of which I /wanted/ to do.. >>> but since switching over and running 'net cache flush' etc., the problem >>> hasn't reoccurred) >> Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to >> samba4 + AD, and I have found out that using: >> >> net ads search "(SAMAccountName=someuser)"|egrep >> 'name|primaryGroupID|gidNumber >> >> for all migrated users their primaryGroupID was set to 513, and their >> gidNumber was set to 100. >> >> Adding a new user using Microsoft's RSAT this new user doesn't have a >> "gidNumber" setting. I suspect this setting to somehow cause samba to >> think that "Domain Users" is 100. >> >> I have removed via RSAT the settings of gidNumber for all active users, >> and I hope that will fix it. >> >> Gerben >> >>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote: >>> >>>> Hi, >>>> >>>> using Samba 4.4.2, on the Samba AD server the users have their primary >>>> group at 513 (domain users) but after a non-fixed time they get set to >>>> 100, like: >>>> >>>> >>>> [root at sambaserver:~]# id john >>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >>>> >>>> <few minutes> >>>> >>>> [root at sambaserver:~]# id john >>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >>>> >>>> <few minutes> >>>> >>>> [root at sambaserver:~]# id john >>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users) >>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales) >>>> >>>> then when I "net cache flush" do: they're back at 513... only for a while. >>>> >>>> The Linux workstations always see the users at 513, this only happens on >>>> the Samba server itself. This can happen with intervals of a few >>>> minutes, but I've also seen it being "stable" for a few hours. >>>> >>>> any ideas? >>>> >>>> thanks, >>>> >>>> Gerben >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> >> >Because you think that by giving a user a gidNumber, this will be used for the users primary group :-) Winbindd will use the users primaryGroupID attribute, this normally contains '513', it will check if this group (normally Domain Users) contains a gidNumber and use this if it does. If no gidNumber is found, it will then use the mapping in idmap.ldb and this is set to '100' Rowland
Gerben Roest
2016-Apr-29 15:40 UTC
[Samba] primary group gets set to 100 on Samba AD server after a while [SOLVED]
On 29-04-16 08:45, Rowland penny wrote:> On 28/04/16 23:12, Gerben Roest wrote: >> I did some experimenting on my raspberry pi with samba-4.4.2 as AD >> server (fresh install, no upgrade), and adding a new user: >> >> samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash >> >> and then checking it: >> >> root at pi6lan:/etc# wbinfo -i grepit >> ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash >> >> root at pi6lan:/etc# id grepit >> uid=3000017(ROEST\grepit) gid=100(users) >> groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users) >> >> my new user's primary group is 100 ! Why? >> >> My smb.conf is really basic: >> >> [global] >> netbios name = PI6LAN >> realm = ROEST.INTERN >> workgroup = ROEST >> dns forwarder = 192.168.13.253 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> template shell = /bin/bash >> template homedir = /home/%U >> winbind use default domain = yes >> >> root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513 >> primaryGroupID: 513 >> gidNumber: 513 >> >> I'm really curious why this new user is set to primary group 100. It >> appears not to be caused by samba ad, right? >> >> thanks >> >> Gerben >> >> >> On 28-04-16 22:20, Gerben Roest wrote: >>> On 26-04-16 23:48, Jonathan Hunter wrote: >>>> I had similar (ish) issues. >>>> >>>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement >>>> both of >>>> the above on my DC to resolve this. (Neither of which I /wanted/ to >>>> do.. >>>> but since switching over and running 'net cache flush' etc., the >>>> problem >>>> hasn't reoccurred) >>> Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to >>> samba4 + AD, and I have found out that using: >>> >>> net ads search "(SAMAccountName=someuser)"|egrep >>> 'name|primaryGroupID|gidNumber >>> >>> for all migrated users their primaryGroupID was set to 513, and their >>> gidNumber was set to 100. >>> >>> Adding a new user using Microsoft's RSAT this new user doesn't have a >>> "gidNumber" setting. I suspect this setting to somehow cause samba to >>> think that "Domain Users" is 100. >>> >>> I have removed via RSAT the settings of gidNumber for all active users, >>> and I hope that will fix it. >>> >>> Gerben >>> >>>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl> wrote: >>>> >>>>> Hi, >>>>> >>>>> using Samba 4.4.2, on the Samba AD server the users have their primary >>>>> group at 513 (domain users) but after a non-fixed time they get set to >>>>> 100, like: >>>>> >>>>> >>>>> [root at sambaserver:~]# id john >>>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >>>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >>>>> >>>>> <few minutes> >>>>> >>>>> [root at sambaserver:~]# id john >>>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users) >>>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales) >>>>> >>>>> <few minutes> >>>>> >>>>> [root at sambaserver:~]# id john >>>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users) >>>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales) >>>>> >>>>> then when I "net cache flush" do: they're back at 513... only for a >>>>> while. >>>>> >>>>> The Linux workstations always see the users at 513, this only >>>>> happens on >>>>> the Samba server itself. This can happen with intervals of a few >>>>> minutes, but I've also seen it being "stable" for a few hours. >>>>> >>>>> any ideas? >>>>> >>>>> thanks, >>>>> >>>>> Gerben >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> >>>> >>> >> > > Because you think that by giving a user a gidNumber, this will be used > for the users primary group :-) > > Winbindd will use the users primaryGroupID attribute, this normally > contains '513', it will check if this group (normally Domain Users) > contains a gidNumber and use this if it does. If no gidNumber is found, > it will then use the mapping in idmap.ldb and this is set to '100'Indeed! I have used RSAT to edit the group "Domain Users", tab "UNIX Attributes", set the NIS Domain, and edit GID to read 513. It turns out that "net cache flush" and "smbcontrol all reload-config" is not enough for this change, it worked only after killing samba, net cache flush and starting samba again. I also can confirm that if you don't edit "Domain Users" in RSAT, editing idmap.ldb with (use your own path and sid) ldbedit -e vim -H /usr/local/samba-4.4/private/idmap.ldb objectsid=<sid of domain users> and changing the xidNumber: 100 to 513, and doing smbcontrol all reload-config and net cache flush also works. Thanks Rowland!
Seemingly Similar Threads
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while
- primary group gets set to 100 on Samba AD server after a while
- Samba 3, Windows 7 and printer drivers