Łukasz Michalski
2019-Jun-05 09:04 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
On 6/5/19 10:06 AM, Rowland penny via samba wrote:>> >> Now I have problems with id mapping configuration: >> >> wbinfo -u works. >> wbinfo -g works. >> getent group does not list domain users and groups. >> >> I logged into PDC and checked gidNumber for "Domain Users": >> >> [root at site-ad ~]# wbinfo --name-to-sid "Domain Users" >> S-1-5-21-4155694911-3186826046-1573605777-513 SID_DOM_GROUP (2) > Nope, that is the 'SID-RID' >> >> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-513 >> 985 (same as 'users' unix gid on host) > where did the '985' come from ?I think from there: [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 # record 1 dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513 cn: S-1-5-21-4155694911-3186826046-1573605777-513 objectClass: sidMap objectSid: S-1-5-21-4155694911-3186826046-1573605777-513 type: ID_TYPE_GID xidNumber: 985 distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513 [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/sam.ldb objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 |grep gidNumber (returns nothing)>> >> And the same check for "Domain Admins": >> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-512 >> 3000004 > Oh good, 'Domain Admins' doesn't have a gidNumber attribute. >> >> > Absolutely nothing wrong with that smb.conf ;-) >> Wiki says that an uid and gid Number must be in the EXAMPLE:range, which I set to 10000-999999 >> I checked all groups and besides "Domain Members" all of them have the gidNumber > 3000000 > > Where did you check ? > > In 'idmap.ldb' or 'sam.ldb' ? > > > I more and more think you are looking inside 'idmap.ldb' and mistaking 'xidNumber' attributes for 'uidNumber' & 'gidNumber' attributes. >Yes, that is the case. I added gidNumber: 10000 to sam.ldb and now I see "Domain Users" group on member: [root at universe ~]# getent group |grep EXAMPLE EXAMPLE\domain users:x:10000: Should I leave xidNumber set to 985 in idmap.ldb? Should I add gidNumber to all groups listed by wbinfo -g? Many thanks for your help, ?ukasz
Rowland penny
2019-Jun-05 09:26 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
On 05/06/2019 10:04, ?ukasz Michalski via samba wrote:> >>> >>> [root at site-ad ~]# wbinfo --sid-to-gid >>> S-1-5-21-4155694911-3186826046-1573605777-513 >>> 985 (same as 'users' unix gid on host) >> where did the '985' come from ? > > I think from there: > > [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb > objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 > # record 1 > dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513 > cn: S-1-5-21-4155694911-3186826046-1573605777-513 > objectClass: sidMap > objectSid: S-1-5-21-4155694911-3186826046-1573605777-513 > type: ID_TYPE_GID > xidNumber: 985 > distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513An 'xidNumber' is NOT a 'uidNumber' or 'gidNumber' Who changed the 'xidNumber' value from a number in the '3000000' range to '985' and why ?> > [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/sam.ldb > objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 |grep gidNumber > (returns nothing)Then it does not have a 'gidNumber' attribute and you will not get any AD users on the Unix domain member.> > > Yes, that is the case.Well, stop, use 'sam.ldb'> > > I added gidNumber: 10000 to sam.ldb and now I see "Domain Users" group > on member: > > [root at universe ~]# getent group |grep EXAMPLE > EXAMPLE\domain users:x:10000:Just need to add 'uidNumber' attributes to your users now.> > Should I leave xidNumber set to 985 in idmap.ldb?You can ignore it, Domain Users? will now be using '10000' , even on the DC.> > Should I add gidNumber to all groups listed by wbinfo -g?No, just as and when you find one that you need to use on Unix, most are just Windows groups. Rowland
Łukasz Michalski
2019-Jun-05 09:44 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
On 6/5/19 11:26 AM, Rowland penny via samba wrote:> On 05/06/2019 10:04, ?ukasz Michalski via samba wrote: >> >>>> >>>> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-513 >>>> 985 (same as 'users' unix gid on host) >>> where did the '985' come from ? >> >> I think from there: >> >> [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 >> # record 1 >> dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513 >> cn: S-1-5-21-4155694911-3186826046-1573605777-513 >> objectClass: sidMap >> objectSid: S-1-5-21-4155694911-3186826046-1573605777-513 >> type: ID_TYPE_GID >> xidNumber: 985 >> distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513 > > An 'xidNumber' is NOT a 'uidNumber' or 'gidNumber' > > Who changed the 'xidNumber' value from a number in the '3000000' range to '985' and why ? >Dunno, I just run: samba-tool domain provision --use-rfc2307 --interactive I did not touch ldap databases by hand afterwards. Regards, ?ukasz
Maybe Matching Threads
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC