Am 2017-09-26 um 16:16 schrieb Rowland Penny via samba:> Very simple Stefan, there is a bug and a simple workaround, never (not > ever) run 'wbinfo -G 100' on a DC if you have given Domain Users a > gidNumber ;-)hit the same issue with a domain group today (DC and DM w/ samba-4.6.8) Solution: net cache flush, recreate the group via samba-tool, and --gid-number before that the group had a gid of 3000013 and wasn't shown on the DM, even when the idmap range there was up to 9999999. Your reported bug still sits there unnoticed, right? Stefan
On Mon, 9 Oct 2017 20:12:27 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2017-09-26 um 16:16 schrieb Rowland Penny via samba: > > > Very simple Stefan, there is a bug and a simple workaround, never > > (not ever) run 'wbinfo -G 100' on a DC if you have given Domain > > Users a gidNumber ;-) > > hit the same issue with a domain group today (DC and DM w/ > samba-4.6.8) > > Solution: > > net cache flush, recreate the group via samba-tool, and --gid-number > > before that the group had a gid of 3000013 and wasn't shown on the > DM, even when the idmap range there was up to 9999999.Unless you have done something strange like giving a group the gidNumber '3000013', this is an xidNumber and isn't used anywhere except on a DC. It is also probably one of the Well Known SIDs, so you shouldn't remove and recreate one of these. Which leads us to the obvious question, what was the group name ?> > Your reported bug still sits there unnoticed, right?Not unnoticed, just not yet resolved ;-) Rowland
Am 2017-10-09 um 20:29 schrieb Rowland Penny:> Unless you have done something strange like giving a group the > gidNumber '3000013', this is an xidNumber and isn't used anywhere > except on a DC. It is also probably one of the Well Known SIDs, so > you shouldn't remove and recreate one of these. Which leads us to > the obvious question, what was the group name ?Actually, it's still there on the DC: # wbinfo --group-info="domain admins" ARBEITSGRUPPE\domain admins:x:3000013: # net cache flush # wbinfo --group-info="domain admins" ARBEITSGRUPPE\domain admins:x:10512: The new and needed group for the particular ACL: # wbinfo --group-info="gfass" ARBEITSGRUPPE\gfass:x:10580: I chose 10850 just to make sure I am away from other IDs. Is there a simple way to read the (highest) used group-id? btw: ACLs work now for the specific folders/ groups, that is not the problem.>> Your reported bug still sits there unnoticed, right? > > Not unnoticed, just not yet resolved ;-)Ah, I see ;-) good.