samba - Apr 2016 - primary group gets set to 100 on Samba AD server after a while [SOLVED]

I did some experimenting on my raspberry pi with samba-4.4.2 as AD
server (fresh install, no upgrade), and adding a new user:

samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash

and then checking it:

root at pi6lan:/etc# wbinfo -i grepit
ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash

root at pi6lan:/etc# id grepit
uid=3000017(ROEST\grepit) gid=100(users)
groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users)

my new user's primary group is 100 ! Why?

My smb.conf is really basic:

[global]
	netbios name = PI6LAN
	realm = ROEST.INTERN
	workgroup = ROEST
	dns forwarder = 192.168.13.253
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
	template shell = /bin/bash
        template homedir = /home/%U
	winbind use default domain = yes

root at pi6lan:/etc# net ads search "(SAMAccountName=grepit)"|grep 513
primaryGroupID: 513
gidNumber: 513

I'm really curious why this new user is set to primary group 100. It
appears not to be caused by samba ad, right?

thanks

Gerben


On 28-04-16 22:20, Gerben Roest wrote:
> On 26-04-16 23:48, Jonathan Hunter wrote:
>> I had similar (ish) issues.
>>
>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement both
of
>> the above on my DC to resolve this. (Neither of which I /wanted/ to
do..
>> but since switching over and running 'net cache flush' etc.,
the problem
>> hasn't reoccurred)
> 
> Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to
> samba4 + AD, and I have found out that using:
> 
> net ads search "(SAMAccountName=someuser)"|egrep
> 'name|primaryGroupID|gidNumber
> 
> for all migrated users their primaryGroupID was set to 513, and their
> gidNumber was set to 100.
> 
> Adding a new user using Microsoft's RSAT this new user doesn't have
a
> "gidNumber" setting. I suspect this setting to somehow cause
samba to
> think that "Domain Users" is 100.
> 
> I have removed via RSAT the settings of gidNumber for all active users,
> and I hope that will fix it.
> 
> Gerben
> 
>>
>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at grepit.nl>
wrote:
>>
>>> Hi,
>>>
>>> using Samba 4.4.2, on the Samba AD server the users have their
primary
>>> group at 513 (domain users) but after a non-fixed time they get set
to
>>> 100, like:
>>>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> <few minutes>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> <few minutes>
>>>
>>> [root at sambaserver:~]# id john
>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users)
>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales)
>>>
>>> then when I "net cache flush" do: they're back at
513... only for a while.
>>>
>>> The Linux workstations always see the users at 513, this only
happens on
>>> the Samba server itself. This can happen with intervals of a few
>>> minutes, but I've also seen it being "stable" for a
few hours.
>>>
>>> any ideas?
>>>
>>> thanks,
>>>
>>> Gerben
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
> 
> 

-- 

Grep IT                      tel: 0252-769005
Egelantier 3                 fax: 0252-769006
2211 NN Noordwijkerhout     g.roest at grepit.nl
The Netherlands                 www.grepit.nl

On 28/04/16 23:12, Gerben Roest wrote:
> I did some experimenting on my raspberry pi with samba-4.4.2 as AD
> server (fresh install, no upgrade), and adding a new user:
>
> samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash
>
> and then checking it:
>
> root at pi6lan:/etc# wbinfo -i grepit
> ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash
>
> root at pi6lan:/etc# id grepit
> uid=3000017(ROEST\grepit) gid=100(users)
> groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users)
>
> my new user's primary group is 100 ! Why?
>
> My smb.conf is really basic:
>
> [global]
> 	netbios name = PI6LAN
> 	realm = ROEST.INTERN
> 	workgroup = ROEST
> 	dns forwarder = 192.168.13.253
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
> 	template shell = /bin/bash
>          template homedir = /home/%U
> 	winbind use default domain = yes
>
> root at pi6lan:/etc# net ads search
"(SAMAccountName=grepit)"|grep 513
> primaryGroupID: 513
> gidNumber: 513
>
> I'm really curious why this new user is set to primary group 100. It
> appears not to be caused by samba ad, right?
>
> thanks
>
> Gerben
>
>
> On 28-04-16 22:20, Gerben Roest wrote:
>> On 26-04-16 23:48, Jonathan Hunter wrote:
>>> I had similar (ish) issues.
>>>
>>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to implement
both of
>>> the above on my DC to resolve this. (Neither of which I /wanted/ to
do..
>>> but since switching over and running 'net cache flush'
etc., the problem
>>> hasn't reoccurred)
>> Yes, we use winbindd and rfc2307. I have upgraded from samba3 + ldap to
>> samba4 + AD, and I have found out that using:
>>
>> net ads search "(SAMAccountName=someuser)"|egrep
>> 'name|primaryGroupID|gidNumber
>>
>> for all migrated users their primaryGroupID was set to 513, and their
>> gidNumber was set to 100.
>>
>> Adding a new user using Microsoft's RSAT this new user doesn't
have a
>> "gidNumber" setting. I suspect this setting to somehow cause
samba to
>> think that "Domain Users" is 100.
>>
>> I have removed via RSAT the settings of gidNumber for all active users,
>> and I hope that will fix it.
>>
>> Gerben
>>
>>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at
grepit.nl> wrote:
>>>
>>>> Hi,
>>>>
>>>> using Samba 4.4.2, on the Samba AD server the users have their
primary
>>>> group at 513 (domain users) but after a non-fixed time they get
set to
>>>> 100, like:
>>>>
>>>>
>>>> [root at sambaserver:~]# id john
>>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>
>>>> <few minutes>
>>>>
>>>> [root at sambaserver:~]# id john
>>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>
>>>> <few minutes>
>>>>
>>>> [root at sambaserver:~]# id john
>>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users)
>>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>
>>>> then when I "net cache flush" do: they're back at
513... only for a while.
>>>>
>>>> The Linux workstations always see the users at 513, this only
happens on
>>>> the Samba server itself. This can happen with intervals of a
few
>>>> minutes, but I've also seen it being "stable" for
a few hours.
>>>>
>>>> any ideas?
>>>>
>>>> thanks,
>>>>
>>>> Gerben
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>
>
Because you think that by giving a user a gidNumber, this will be used 
for the users primary group :-)

Winbindd will use the users primaryGroupID attribute, this normally 
contains '513', it will check if this group (normally Domain Users) 
contains a gidNumber and use this if it does. If no gidNumber is found, 
it will then use the mapping in idmap.ldb and this is set to '100'

Rowland

On 29-04-16 08:45, Rowland penny wrote:
> On 28/04/16 23:12, Gerben Roest wrote:
>> I did some experimenting on my raspberry pi with samba-4.4.2 as AD
>> server (fresh install, no upgrade), and adding a new user:
>>
>> samba-tool user add grepit --gid-number=513 --login-shell=/bin/bash
>>
>> and then checking it:
>>
>> root at pi6lan:/etc# wbinfo -i grepit
>> ROEST\grepit:*:3000017:100::/home/grepit:/bin/bash
>>
>> root at pi6lan:/etc# id grepit
>> uid=3000017(ROEST\grepit) gid=100(users)
>> groups=100(users),3000017(ROEST\grepit),3000009(BUILTIN\users)
>>
>> my new user's primary group is 100 ! Why?
>>
>> My smb.conf is really basic:
>>
>> [global]
>>     netbios name = PI6LAN
>>     realm = ROEST.INTERN
>>     workgroup = ROEST
>>     dns forwarder = 192.168.13.253
>>     server role = active directory domain controller
>>     idmap_ldb:use rfc2307 = yes
>>     template shell = /bin/bash
>>          template homedir = /home/%U
>>     winbind use default domain = yes
>>
>> root at pi6lan:/etc# net ads search
"(SAMAccountName=grepit)"|grep 513
>> primaryGroupID: 513
>> gidNumber: 513
>>
>> I'm really curious why this new user is set to primary group 100.
It
>> appears not to be caused by samba ad, right?
>>
>> thanks
>>
>> Gerben
>>
>>
>> On 28-04-16 22:20, Gerben Roest wrote:
>>> On 26-04-16 23:48, Jonathan Hunter wrote:
>>>> I had similar (ish) issues.
>>>>
>>>> Are you using winbindd and rfc2307 UIDs/GIDs? I had to
implement
>>>> both of
>>>> the above on my DC to resolve this. (Neither of which I
/wanted/ to
>>>> do..
>>>> but since switching over and running 'net cache flush'
etc., the
>>>> problem
>>>> hasn't reoccurred)
>>> Yes, we use winbindd and rfc2307. I have upgraded from samba3 +
ldap to
>>> samba4 + AD, and I have found out that using:
>>>
>>> net ads search "(SAMAccountName=someuser)"|egrep
>>> 'name|primaryGroupID|gidNumber
>>>
>>> for all migrated users their primaryGroupID was set to 513, and
their
>>> gidNumber was set to 100.
>>>
>>> Adding a new user using Microsoft's RSAT this new user
doesn't have a
>>> "gidNumber" setting. I suspect this setting to somehow
cause samba to
>>> think that "Domain Users" is 100.
>>>
>>> I have removed via RSAT the settings of gidNumber for all active
users,
>>> and I hope that will fix it.
>>>
>>> Gerben
>>>
>>>> On 26 April 2016 at 09:14, Gerben Roest <g.roest at
grepit.nl> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> using Samba 4.4.2, on the Samba AD server the users have
their primary
>>>>> group at 513 (domain users) but after a non-fixed time they
get set to
>>>>> 100, like:
>>>>>
>>>>>
>>>>> [root at sambaserver:~]# id john
>>>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>>
>>>>> <few minutes>
>>>>>
>>>>> [root at sambaserver:~]# id john
>>>>> uid=6032(DOMAIN\john) gid=513(DOMAIN\domain users)
>>>>> groups=513(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>>
>>>>> <few minutes>
>>>>>
>>>>> [root at sambaserver:~]# id john
>>>>> uid=6032(DOMAIN\john) gid=100(DOMAIN\domain users)
>>>>> groups=100(DOMAIN\domain users),1013(DOMAIN\sales)
>>>>>
>>>>> then when I "net cache flush" do: they're
back at 513... only for a
>>>>> while.
>>>>>
>>>>> The Linux workstations always see the users at 513, this
only
>>>>> happens on
>>>>> the Samba server itself. This can happen with intervals of
a few
>>>>> minutes, but I've also seen it being "stable"
for a few hours.
>>>>>
>>>>> any ideas?
>>>>>
>>>>> thanks,
>>>>>
>>>>> Gerben
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>>
>>>
>>
> 
> Because you think that by giving a user a gidNumber, this will be used
> for the users primary group :-)
> 
> Winbindd will use the users primaryGroupID attribute, this normally
> contains '513', it will check if this group (normally Domain Users)
> contains a gidNumber and use this if it does. If no gidNumber is found,
> it will then use the mapping in idmap.ldb and this is set to '100'
Indeed! I have used RSAT to edit the group "Domain Users", tab
"UNIX
Attributes", set the NIS Domain, and edit GID to read 513.
It turns out that "net cache flush" and "smbcontrol all
reload-config"
is not enough for this change, it worked only after killing samba, net
cache flush and starting samba again.

I also can confirm that if you don't edit "Domain Users" in RSAT,
editing idmap.ldb with (use your own path and sid)

ldbedit -e vim -H /usr/local/samba-4.4/private/idmap.ldb objectsid=<sid
of domain users>

and changing the xidNumber: 100 to 513, and doing smbcontrol all
reload-config and net cache flush also works.

Thanks Rowland!