samba - Oct 2022 - messed up group ids

ok I made the recommended changes and ran net cache flush, afterwards 
Domain Users was correct, but Domain Admins not. results of "id"
command
are below

>>
>> and it cant' find all the groups while the rdp server can
>
> No, that is wrong, if you look closely, the rdp server is missing two 
> groups but the fileserver is showing two groups by ID only (not by name)
Yes I missed the 2 BUILTIN groups, I dont know if that's a problem or 
not, after net cache flush, here are the 2 servers

--------------------? RDP----------------------
uid=2001110(SDCP\peter)
gid=2000513(SDCP\domain users)
groups ?? ?2000513(SDCP\domain users),
 ?? ?2000512(SDCP\domain admins),
 ?? ?2000572(SDCP\denied rodc password replication group),
 ?? ?2001110(SDCP\peter),
 ?? ?2001118(SDCP\linux admins),
 ?? ?2001136(SDCP\remotedesktop)

------------------- File Server ---------------
uid=2001110(SDCP\peter)
gid=2000513(SDCP\domain users)
groups ?? ?2000513(SDCP\domain users),
 ?? ?10000(BUILTIN\administrators),
 ?? ?10001(BUILTIN\users),
 ?? ?2000512,
 ?? ?2000572(SDCP\denied rodc password replication group),
 ?? ?2001110(SDCP\peter),
 ?? ?2001118(SDCP\linux admins),
 ?? ?2001136(SDCP\remotedesktop)
>
> I really do hope '.local' is sanitising, if not, turn off Avahi and
> Bonjour everywhere.
>
We have no avahi and no bonjour.? However, the .local was decided by 
someone long before me when the AD was still on windows and known as a 
PDC.? The AD was then migrated to a Synology NAS and .local was kept.? 
Now I enter the picture and it was decided to move to a less vendor 
specific solution.? The AD couldn't be migrated from Synology so it was 
decided to rebuild the domain users/groups/gpos but the .local stayed 
(in a vain attempt to not have to re-join all the
workstations)
>>
>> ----------------------------------? xRDP 
>> ------------------------------------------------------
>> xRDP Server - not a file server, smbd is not running
>
> So no shares, just authentication.
Correct, no shares, just auth, the user shares line got missed in the 
config, I think I just missed the line in amongst the 3000 lines of 
comments.? I'm torn on whether it's better to have each line documented 
in the config file, or just have? a clean 10 lines of config.? That's a 
debate for another day :)

On 17/10/2022 15:13, Peter Carlson via samba wrote:
> ok I made the recommended changes and ran net cache flush, afterwards 
> Domain Users was correct, but Domain Admins not. results of "id"
command
> are below
> 
> 
>>>
>>> and it cant' find all the groups while the rdp server can
>>
>> No, that is wrong, if you look closely, the rdp server is missing two 
>> groups but the fileserver is showing two groups by ID only (not by
name)
> 
> Yes I missed the 2 BUILTIN groups, I dont know if that's a problem or 
> not, after net cache flush, here are the 2 servers
> 
> --------------------? RDP----------------------
> uid=2001110(SDCP\peter)
> gid=2000513(SDCP\domain users)
> groups>  ?? ?2000513(SDCP\domain users),
>  ?? ?2000512(SDCP\domain admins),
>  ?? ?2000572(SDCP\denied rodc password replication group),
>  ?? ?2001110(SDCP\peter),
>  ?? ?2001118(SDCP\linux admins),
>  ?? ?2001136(SDCP\remotedesktop)
> 
> ------------------- File Server ---------------
> uid=2001110(SDCP\peter)
> gid=2000513(SDCP\domain users)
> groups>  ?? ?2000513(SDCP\domain users),
>  ?? ?10000(BUILTIN\administrators),
>  ?? ?10001(BUILTIN\users),
>  ?? ?2000512,
>  ?? ?2000572(SDCP\denied rodc password replication group),
>  ?? ?2001110(SDCP\peter),
>  ?? ?2001118(SDCP\linux admins),
>  ?? ?2001136(SDCP\remotedesktop)
That's better, now you have only one group not showing up by name and 
there doesn't seem to be a reason for it, apart from, if I understand 
correctly, the DC is running on a synology NAS. Now Samba on a synology 
machine is not basic Samba, from my understanding it is an old version 
of Samba with improvements from synology and as they do not make these 
'improvements' public, I have no idea if they could be causing your
problem.

Anyone else running a DC on a synology NAS ?

Rowland