On 6/19/2020 10:00 AM, Rowland penny via samba wrote:> > The easiest way is to upgrade to 4.12.x and then use '_*samba-tool > group addunixattrs*_', otherwise you could use ldbedit or create an > ldif and use ldbmodify or ldapmodify. Another option would be to use > something like LAM. > > RowlandSorry, but, there is what you told me to do in your first email reply. AND it does not matter to me, who did what. I have already _deleted the "unixattrs" group that had been created_. Now, on to this. When I do this: root at dc01:~# samba-tool? group list Server Operators Distributed COM Users IIS_IUSRS Group Policy Creator Owners Domain Computers Print Operators Cert Publishers DnsAdmins Incoming Forest Trust Builders Guests Event Log Readers Backup Operators Replicator Domain Admins Cryptographic Operators Windows Authorization Access Group Terminal Server License Servers RAS and IAS Servers Network Configuration Operators Allowed RODC Password Replication Group Remote Desktop Users Denied RODC Password Replication Group Enterprise Read-only Domain Controllers Performance Log Users Read-only Domain Controllers Enterprise Admins Users Account Operators Performance Monitor Users Domain Guests Domain Users Schema Admins Pre-Windows 2000 Compatible Access DnsUpdateProxy Certificate Service DCOM Access Domain Controllers Administrators I do not see a group "addunixattrs"? If I run your suggestion "/samba-tool group addunixattrs <groupnane> <next_available_gidNumber>/" how do I determine the "<next_available_gidNumber>" or is that "next number" found by your command suggestion? Clearly, the "groupname" is 'Domain Users'. Finding the "next gidNumber" becomes the next question? Bob Wooden
On 19/06/2020 19:31, Robert E. Wooden via samba wrote:> On 6/19/2020 10:00 AM, Rowland penny via samba wrote: >> >> The easiest way is to upgrade to 4.12.x and then use '_*samba-tool >> group addunixattrs*_', otherwise you could use ldbedit or create an >> ldif and use ldbmodify or ldapmodify. Another option would be to use >> something like LAM. >> >> Rowland > > Sorry, but, there is what you told me to do in your first email reply. > > AND it does not matter to me, who did what. > > I have already _deleted the "unixattrs" group that had been created_. > > Now, on to this. > > When I do this: > > root at dc01:~# samba-tool? group list > Server Operators > Distributed COM Users > IIS_IUSRS > Group Policy Creator Owners > Domain Computers > Print Operators > Cert Publishers > DnsAdmins > Incoming Forest Trust Builders > Guests > Event Log Readers > Backup Operators > Replicator > Domain Admins > Cryptographic Operators > Windows Authorization Access Group > Terminal Server License Servers > RAS and IAS Servers > Network Configuration Operators > Allowed RODC Password Replication Group > Remote Desktop Users > Denied RODC Password Replication Group > Enterprise Read-only Domain Controllers > Performance Log Users > Read-only Domain Controllers > Enterprise Admins > Users > Account Operators > Performance Monitor Users > Domain Guests > Domain Users > Schema Admins > Pre-Windows 2000 Compatible Access > DnsUpdateProxy > Certificate Service DCOM Access > Domain Controllers > Administrators > > I do not see a group "addunixattrs"? > > If I run your suggestion "/samba-tool group addunixattrs <groupnane> > <next_available_gidNumber>/" how do I determine the > "<next_available_gidNumber>" or is that "next number" found by your > command suggestion? > > Clearly, the "groupname" is 'Domain Users'. > > Finding the "next gidNumber" becomes the next question? > > Bob Wooden >All of this would have been a lot easier if I could have added the code to obtain the next available u/gidNumber ;-) Oh well, it isn't there, so you have to add it manually, you need to find the next available gidNumber and use that, if Domain Users does not have a gidNumber, you probably do not have any yet, so you can use whatever number you like, but I would recommend using the Number that ADUC started from: '10000' If you do have any gidNumbers in AD, you can find the highest with this search: ldbsearch -H /var/lib/samba/private/sam.ldb '(gidNumber=*)' | grep 'gidNumber:' | sed 's/gidNumber: //' | sort | tail -n1 Add 1 to the output and use that. Rowland
On 6/19/2020 1:55 PM, Rowland penny via samba wrote:> ldbsearch -H /var/lib/samba/private/sam.ldb '(gidNumber=*)' | grep > 'gidNumber:' | sed 's/gidNumber: //' | sort | tail -n1 > > Add 1 to the output and use that. > > RowlandThis is a newly setup DC and member server (both Debian 10.4 w/Samba v4.12.3). I got: root at dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(gidNumber=*)' | grep 'gidNumber:' | sed 's/gidNumber: //' | sort | tail -n1 root at dc01:~# So, adding 0+1=1 . . . (I know THAT cannot be correct.) ;-) If this helps any: root at dc01:~# wbinfo -g SAMDOM\cert publishers SAMDOM\ras and ias servers SAMDOM\allowed rodc password replication group SAMDOM\denied rodc password replication group SAMDOM\dnsadmins SAMDOM\enterprise read-only domain controllers SAMDOM\domain admins SAMDOM\domain users SAMDOM\domain guests SAMDOM\domain computers SAMDOM\domain controllers SAMDOM\schema admins SAMDOM\enterprise admins SAMDOM\group policy creator owners SAMDOM\read-only domain controllers SAMDOM\dnsupdateproxy root at dc01:~# wbinfo -n "Domain Users" S-1-5-21-589789-1426474111-2143966843-513 SID_DOM_GROUP (2) I have been troubleshooting to confirm a properly setup AD? DC and member server. All previous tests are passing. Could I have some other issue? -- Bob Wooden