Rowland penny
2020-Dec-13 10:01 UTC
[Samba] Domain admins group missing from domain member
On 13/12/2020 02:09, Carlos Jesus via samba wrote:> Hi all, > I'm having a strange issue with one of my samba domains that I hope you can > help with. > Simply put, getent group|grep "domain admins" returns (as expected) domain > admins:x:3000061:on both my DC's , but comes out empty on both linux domain > members.Not sure why that worked, it shouldn't because you don't have 'winbind enum groups = yes' in your DC's smb.conf Also you are using the 'ad' backend on the Unix domain member and '3000061' isn't a gidNumber, it is an xidNumber and only used on DC's. This actually is a good thing, because if you do give Domain Admins a gidNumber, it just becomes a group and cannot own files and folders in sysvol. Rowland
Sorry, my bad. Those lines are in fact in smb.conf of both DC's and DM's. I removed them after test #3 to see if winbind was properly detecting things and forgot to add them back. So, with those lines back in (and after a smbcontrol all reload-config), on a DM I get: getent group|grep "domain users" gives domain users:x:10001: as expected getent group|grep "domain admins" comes out blank On a DC getent group|grep "domain users" gives SAMDOM\domain users:x:10001: getent group|grep "domain admins" gives SAMDOM\domain admins:x:3000061: as for the gidNumber vs xidnumber, there are multiple discussions on the mailing list about this and even the wiki advices against it ( https://wiki.samba.org/index.php/Sysvolreset for example) so I didn't use the gidNumber for Domain Admins. Could this be the reason? Best regards, Carlos Rowland penny via samba <samba at lists.samba.org> escreveu no dia domingo, 13/12/2020 ?(s) 10:02:> On 13/12/2020 02:09, Carlos Jesus via samba wrote: > > Hi all, > > I'm having a strange issue with one of my samba domains that I hope you > can > > help with. > > Simply put, getent group|grep "domain admins" returns (as expected) > domain > > admins:x:3000061:on both my DC's , but comes out empty on both linux > domain > > members. > > Not sure why that worked, it shouldn't because you don't have 'winbind > enum groups = yes' in your DC's smb.conf > > Also you are using the 'ad' backend on the Unix domain member and > '3000061' isn't a gidNumber, it is an xidNumber and only used on DC's. > This actually is a good thing, because if you do give Domain Admins a > gidNumber, it just becomes a group and cannot own files and folders in > sysvol. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >