Sorry, my bad. Those lines are in fact in smb.conf of both DC's and DM's. I removed them after test #3 to see if winbind was properly detecting things and forgot to add them back. So, with those lines back in (and after a smbcontrol all reload-config), on a DM I get: getent group|grep "domain users" gives domain users:x:10001: as expected getent group|grep "domain admins" comes out blank On a DC getent group|grep "domain users" gives SAMDOM\domain users:x:10001: getent group|grep "domain admins" gives SAMDOM\domain admins:x:3000061: as for the gidNumber vs xidnumber, there are multiple discussions on the mailing list about this and even the wiki advices against it ( https://wiki.samba.org/index.php/Sysvolreset for example) so I didn't use the gidNumber for Domain Admins. Could this be the reason? Best regards, Carlos Rowland penny via samba <samba at lists.samba.org> escreveu no dia domingo, 13/12/2020 ?(s) 10:02:> On 13/12/2020 02:09, Carlos Jesus via samba wrote: > > Hi all, > > I'm having a strange issue with one of my samba domains that I hope you > can > > help with. > > Simply put, getent group|grep "domain admins" returns (as expected) > domain > > admins:x:3000061:on both my DC's , but comes out empty on both linux > domain > > members. > > Not sure why that worked, it shouldn't because you don't have 'winbind > enum groups = yes' in your DC's smb.conf > > Also you are using the 'ad' backend on the Unix domain member and > '3000061' isn't a gidNumber, it is an xidNumber and only used on DC's. > This actually is a good thing, because if you do give Domain Admins a > gidNumber, it just becomes a group and cannot own files and folders in > sysvol. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2020-Dec-13 12:54 UTC
[Samba] Domain admins group missing from domain member
On 13/12/2020 12:28, Carlos Jesus wrote:> Sorry, my bad. > Those lines are in fact in smb.conf of both DC's and DM's. I removed > them after test #3 to see if winbind was properly detecting things and > forgot to add them back. > > So, with those lines back in (and after a smbcontrol all reload-config), > on a DM I get: > getent group|grep "domain users" gives?domain users:x:10001: as expected > getent group|grep "domain admins" comes out blank > On a DC > getent group|grep "domain users" gives SAMDOM\domain users:x:10001: > getent group|grep "domain admins" gives SAMDOM\domain admins:x:3000061:All that the 'winbind enum' lines do, is to allow 'getent' to print all users & groups. This isn't really a problem in a small domain, but in a large domain, it can grind everything to a crawl. However, you don't need the the lines because, without the lines, 'getent group groupname' with produce the same out as 'getent group | grep groupname'> > as for the gidNumber vs xidnumber, there are multiple discussions on > the mailing list about this and even the wiki advices against it > (https://wiki.samba.org/index.php/Sysvolreset > <https://wiki.samba.org/index.php/Sysvolreset> for example)I know, I am usually the one advising about it and who do you think added the info to the wiki ?> so I didn't use the gidNumber for Domain Admins.Good> Could this be the reason? >Yes, unless a Windows user has a uidNumber, or a Windows group has a gidNumber, they are unknown to Unix, I suggest you read this for more information about why giving Domain Admins a gidNumber is a bad idea: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege Rowland