thr3ads.net - samba - [Samba] Winbind Map [Mar 2022]

If this information is useful, please help other people find it:
Share via:

Anderson Sampaio Mello

2022-Mar-16 02:21 UTC

[Samba] Winbind Map

Hi Rowland.
Thanks for the answer

The command I type is wbinfo --group-info name-group, example:
wbinfo --group-info administrators
Output:
DOMAIN\administrators:x:3000024

But when I inform the BUILTIN before, the mapping appears, for example:
wbinfo --group-info BUILTIN\\administrators
Output:
BUILTIN\administrators:x:3000000

The server has samba version 4.15.4 installed in the ADDC server role.

Em ter., 15 de mar. de 2022 ?s 17:47, Rowland Penny via samba <
samba at lists.samba.org> escreveu:
> On Wed, 2022-03-09 at 02:59 -0300, Anderson Sampaio Mello via samba
> wrote:
> > Hello samba team.
> >
> > Excuse my ignorance, why does winbind map the builtins groups to the
> > domain
> > in the output of the wbinfo command on the AD DC samba server?
> >
> > example: administrators maps to domain\administrators, Print
> > Operators
> > winbind with wbinfo shows as domain\print operators
>
> Somehow I missed this, but what wbinfo command are you running ?
> If I run 'wbinfo -g' on a DC, I do not get the BUILTIN groups.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland Penny

2022-Mar-16 07:57 UTC

head link

[Samba] Winbind Map

On Tue, 2022-03-15 at 23:21 -0300, Anderson Sampaio Mello via samba
wrote:> Hi Rowland.
> Thanks for the answer
> 
> The command I type is wbinfo --group-info name-group, example:
> wbinfo --group-info administrators
> Output:
> DOMAIN\administrators:x:3000024
> 
> But when I inform the BUILTIN before, the mapping appears, for
> example:
> wbinfo --group-info BUILTIN\\administrators
> Output:
> BUILTIN\administrators:x:3000000
I think you may have found a bug, I have never given this much thought
before, everything has just worked. But after I ran your command and
got the same results that you did, I had a look in idmap.ldb and found
this:

dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

Which I expected, but I also found this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-544
cn: S-1-5-21-1768301897-3342589593-1064908849-544
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-544
type: ID_TYPE_BOTH
xidNumber: 3000227
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-544

So, it looks like, on a Samba DC, a RID (544) has two Unix IDs and as
far as I am aware, RIDs are unique, so the Unix IDs should also be
unique.

Rowland

samba - Mar 2022 - Winbind Map

[Samba] Winbind Map

[Samba] Winbind Map