On 6/19/2020 1:55 PM, Rowland penny via samba wrote:> ldbsearch -H /var/lib/samba/private/sam.ldb '(gidNumber=*)' | grep > 'gidNumber:' | sed 's/gidNumber: //' | sort | tail -n1 > > Add 1 to the output and use that. > > RowlandThis is a newly setup DC and member server (both Debian 10.4 w/Samba v4.12.3). I got: root at dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(gidNumber=*)' | grep 'gidNumber:' | sed 's/gidNumber: //' | sort | tail -n1 root at dc01:~# So, adding 0+1=1 . . . (I know THAT cannot be correct.) ;-) If this helps any: root at dc01:~# wbinfo -g SAMDOM\cert publishers SAMDOM\ras and ias servers SAMDOM\allowed rodc password replication group SAMDOM\denied rodc password replication group SAMDOM\dnsadmins SAMDOM\enterprise read-only domain controllers SAMDOM\domain admins SAMDOM\domain users SAMDOM\domain guests SAMDOM\domain computers SAMDOM\domain controllers SAMDOM\schema admins SAMDOM\enterprise admins SAMDOM\group policy creator owners SAMDOM\read-only domain controllers SAMDOM\dnsupdateproxy root at dc01:~# wbinfo -n "Domain Users" S-1-5-21-589789-1426474111-2143966843-513 SID_DOM_GROUP (2) I have been troubleshooting to confirm a properly setup AD? DC and member server. All previous tests are passing. Could I have some other issue? -- Bob Wooden
On 19/06/2020 20:09, Robert E. Wooden via samba wrote:> On 6/19/2020 1:55 PM, Rowland penny via samba wrote: >> ldbsearch -H /var/lib/samba/private/sam.ldb '(gidNumber=*)' | grep >> 'gidNumber:' | sed 's/gidNumber: //' | sort | tail -n1 >> >> Add 1 to the output and use that. >> >> Rowland > > This is a newly setup DC and member server (both Debian 10.4 w/Samba > v4.12.3). > > I got: > > root at dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb > '(gidNumber=*)' | grep 'gidNumber:' | sed 's/gidNumber: //' | sort | > tail -n1 > root at dc01:~# > > So, adding 0+1=1 . . . (I know THAT cannot be correct.) ;-) > > If this helps any: > > root at dc01:~# wbinfo -g > SAMDOM\cert publishers > SAMDOM\ras and ias servers > SAMDOM\allowed rodc password replication group > SAMDOM\denied rodc password replication group > SAMDOM\dnsadmins > SAMDOM\enterprise read-only domain controllers > SAMDOM\domain admins > SAMDOM\domain users > SAMDOM\domain guests > SAMDOM\domain computers > SAMDOM\domain controllers > SAMDOM\schema admins > SAMDOM\enterprise admins > SAMDOM\group policy creator owners > SAMDOM\read-only domain controllers > SAMDOM\dnsupdateproxy > > root at dc01:~# wbinfo -n "Domain Users" > S-1-5-21-589789-1426474111-2143966843-513 SID_DOM_GROUP (2) > > I have been troubleshooting to confirm a properly setup AD? DC and > member server. > > All previous tests are passing. > > Could I have some other issue? >Did you miss this: if Domain Users does not have a gidNumber, you probably do not have any yet, so you can use whatever number you like, but I would recommend using the Number that ADUC started from: '10000' You will probably not have any uidNumbers yet either, but if you have added any users, 'samba-tool user' has a similar option to the group one. If you haven't added any users, see 'samba-tool user create --help' for more info. Again, I would start the range from '10000' a user can have the same uidNumber as a groups gidNumber, they will never be mistaken one for the other. Rowland Rowland
> You will probably not have any uidNumbers yet either, but if you have > added any users, 'samba-tool user' has a similar option to the group > one. If you haven't added any users, see 'samba-tool user create > --help' for more info. > > Rowland >No, I have not added any groups as yet but, I did add four users via RSAT. Now: root at dc01:~# samba-tool group addunixattrs "Domain Users" 10000 Usage: samba-tool group <subcommand> Group management. Options: ? -h, --help? show this help message and exit Available subcommands: ? add??????????? - Creates a new AD group. ? addmembers???? - Add members to an AD group. ? delete???????? - Deletes an AD group. ? list?????????? - List all groups. ? listmembers??? - List all members of an AD group. ? move?????????? - Move a group to an organizational unit/container. ? removemembers? - Remove members from an AD group. ? show?????????? - Display a group AD object. For more help on a specific subcommand, please type: samba-tool group <subcommand> (-h|--help) root at dc01:~# samba-tool group list Server Operators Distributed COM Users IIS_IUSRS Group Policy Creator Owners Domain Computers Print Operators Cert Publishers DnsAdmins Incoming Forest Trust Builders Guests Event Log Readers Backup Operators Replicator Domain Admins Cryptographic Operators Windows Authorization Access Group Terminal Server License Servers RAS and IAS Servers Network Configuration Operators Allowed RODC Password Replication Group Remote Desktop Users Denied RODC Password Replication Group Enterprise Read-only Domain Controllers Performance Log Users Read-only Domain Controllers Enterprise Admins Users Account Operators Performance Monitor Users Domain Guests Domain Users Schema Admins Pre-Windows 2000 Compatible Access DnsUpdateProxy Certificate Service DCOM Access Domain Controllers Administrators I do not see any "addunixattrs" group? Therefore, I do not understand how that string will do anything? (But, I am the novice.) -- Bob Wooden