Łukasz Michalski
2019-Jun-05 09:44 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
On 6/5/19 11:26 AM, Rowland penny via samba wrote:> On 05/06/2019 10:04, ?ukasz Michalski via samba wrote: >> >>>> >>>> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-513 >>>> 985 (same as 'users' unix gid on host) >>> where did the '985' come from ? >> >> I think from there: >> >> [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 >> # record 1 >> dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513 >> cn: S-1-5-21-4155694911-3186826046-1573605777-513 >> objectClass: sidMap >> objectSid: S-1-5-21-4155694911-3186826046-1573605777-513 >> type: ID_TYPE_GID >> xidNumber: 985 >> distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513 > > An 'xidNumber' is NOT a 'uidNumber' or 'gidNumber' > > Who changed the 'xidNumber' value from a number in the '3000000' range to '985' and why ? >Dunno, I just run: samba-tool domain provision --use-rfc2307 --interactive I did not touch ldap databases by hand afterwards. Regards, ?ukasz
Rowland penny
2019-Jun-05 09:55 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
On 05/06/2019 10:44, ?ukasz Michalski via samba wrote:> On 6/5/19 11:26 AM, Rowland penny via samba wrote: >> On 05/06/2019 10:04, ?ukasz Michalski via samba wrote: >>> >>>>> >>>>> [root at site-ad ~]# wbinfo --sid-to-gid >>>>> S-1-5-21-4155694911-3186826046-1573605777-513 >>>>> 985 (same as 'users' unix gid on host) >>>> where did the '985' come from ? >>> >>> I think from there: >>> >>> [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb >>> objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 >>> # record 1 >>> dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513 >>> cn: S-1-5-21-4155694911-3186826046-1573605777-513 >>> objectClass: sidMap >>> objectSid: S-1-5-21-4155694911-3186826046-1573605777-513 >>> type: ID_TYPE_GID >>> xidNumber: 985 >>> distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513 >> >> An 'xidNumber' is NOT a 'uidNumber' or 'gidNumber' >> >> Who changed the 'xidNumber' value from a number in the '3000000' >> range to '985' and why ? >> > > Dunno, I just run: > > samba-tool domain provision --use-rfc2307 --interactive > > I did not touch ldap databases by hand afterwards. > > Regards, > ?ukasz > > >Someone did, because the xidNumber for Domain Users is set to '100' by default. If you didn't change it, then change the root and Administrator passwords now, someone has access. Rowland
Łukasz Michalski
2019-Jun-05 10:16 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
>> >> Dunno, I just run: >> >> samba-tool domain provision --use-rfc2307 --interactive >> >> I did not touch ldap databases by hand afterwards. >> >> Regards, >> ?ukasz >> >> >> > Someone did, because the xidNumber for Domain Users is set to '100' by default. > > If you didn't change it, then change the root and Administrator passwords now, someone has access. >I am sure that nobody did this - this is brand new setup, no one has access to it yet besides me. 985 is 'users' gid on samba AD host: [root at site-ad ~]# cat /etc/group |grep users users:x:985: Regards, ?ukasz
Apparently Analagous Threads
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC