samba - Feb 2018 - Samba 4 domain - Dead groups

Hi *,

I'm running a Samba 4 AD DC at home, which works pretty well, except one 
of my users has "dead" group entries, which cannot be mapped to a
group
name anymore. This is only for one user. As I'm having problems with 
idmap of that user, I assume the cause is these groups.

Is there any way I can get rid of those?

I tried samba-tool dbcheck and ADSI-Edit, with no luck what so ever.

Many thanks in advance,
Cheers,
Bastian

On Wed, 21 Feb 2018 17:16:30 +0100
Bastian Machek via samba <samba at lists.samba.org> wrote:
> Hi *,
> 
> I'm running a Samba 4 AD DC at home, which works pretty well, except
> one of my users has "dead" group entries, which cannot be mapped
to a
> group name anymore. This is only for one user. As I'm having problems
> with idmap of that user, I assume the cause is these groups.
What exactly do you mean by 'which cannot be mapped to a group name' ?
> 
> Is there any way I can get rid of those?
> 
Not sure, don't know which groups you are referring to ;-)

Can you post your smb.conf and give us a bit more info.

Rowland

On Thu, 22 Feb 2018 17:17:54 +0100
Bastian Machek <bm at machek.systems> wrote:
> Am 2018-02-21 18:09, schrieb Rowland Penny via samba:
> > On Wed, 21 Feb 2018 17:16:30 +0100
> > Bastian Machek via samba <samba at lists.samba.org> wrote:
> > 
> >> Hi *,
> >> 
> >> I'm running a Samba 4 AD DC at home, which works pretty well,
> >> except one of my users has "dead" group entries, which
cannot be
> >> mapped to a group name anymore. This is only for one user. As
I'm
> >> having problems with idmap of that user, I assume the cause is
> >> these groups.
> > 
> > What exactly do you mean by 'which cannot be mapped to a group
> > name' ?
> > 
> >> 
> >> Is there any way I can get rid of those?
> >> 
> > 
> > Not sure, don't know which groups you are referring to ;-)
> > 
> > Can you post your smb.conf and give us a bit more info.
> 
> This is what "id" of the user on the domain controller looks
like:
> uid=3000042(xxx) gid=100(users) groups=100(users),3116(xxx\power 
> user),3115(xxx\ws_admin),3000050,3000051
> 
> I want to get rid of 3000050,3000051
> 
> This my smb.conf on the DC:
> 
> [global]
>          workgroup = XXX
>          realm = xxx
>          server role = active directory domain controller
>          allow dns updates = nonsecure
>          idmap_ldb:use rfc2307 = yes
>          winbind nss info = rfc2307
>          winbind use default domain = Yes
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind nested groups = Yes
>          winbind refresh tickets = yes
>          template shell = /bin/false
>          ldap server require strong auth = no
>          server services = +dns
> 
Sorry, but you cannot set up smb.conf on a DC in the same way you set
up a Unix domain member. You might as well remove most of the lines
after 'idmap_ldb:use rfc2307 = yes'

In order:
winbind nss info = rfc2307 : It doesn't work
winbind use default domain = Yes : It doesn't work
winbind enum users = Yes : It slows things down
winbind enum users = Yes : It slows thing down
winbind nested groups = Yes : It doesn't work
winbind refresh tickets = yes : not needed
template shell = /bin/false : It is a default setting
server services = +dns : Interesting one this, if it was '-dns' instead,
it would mean you are using Bind9 instead of the internal dns server.
If you aren't using Bind9, you should definitely remove this line.

I take it you have created a couple of groups (poweruser & ws_admin)
and given them a gidNumber attribute. Normally users & groups are
mapped to xidNumbers in idmap.ldb and this is where your 'dead' groups
are coming from, they are not 'dead', they are probably 'Well Known
SIDS'. You can find out who they are by searching in idmap.ldb with
ldbsearch or pdbedot.

Rowland