> Sorry, I keep forgetting this, you need to clear the cache with 'net > cache flush'Ok, I made the switch but one more thing. As soon as I restart smb+nmb+winbind the "domain users" group has this id: # getent group "domain users" domain users:x:10513: after a few seconds, the ID is "restored" to the wrong one: # getent group "domain users" domain users:x:700009: I don't have a custom id set in the group: # samba-tool group show "domain users" dn: CN=Domain Users,CN=Users,DC=wdc,DC=domain,DC=it objectClass: top objectClass: group cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20220715153450.0Z whenChanged: 20220715153450.0Z uSNCreated: 5074 name: Domain Users objectGUID: 32bbb713-c5de-4d05-bb5a-25ee53e6971f objectSid: S-1-5-21-1322844432-1368091937-3368753673-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=wdc,DC=domain,DC=it isCriticalSystemObject: TRUE uSNChanged: 5264 memberOf: CN=Users,CN=Builtin,DC=wdc,DC=domain,DC=it distinguishedName: CN=Domain Users,CN=Users,DC=wdc,DC=domain,DC=it -- Lorenzo Milesi - lorenzo.milesi at yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Two corrections> Ok, I made the switch but one more thing. As soon as I restart smb+nmb+winbindAs soon as I clean cache> after a few seconds, the ID is "restored" to the wrong one:The ID changes when I run a "ls" in a dir where files/dir are assigned to the "domain users" group -- Lorenzo Milesi - lorenzo.milesi at yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
On 14/10/2022 17:43, Lorenzo Milesi wrote:>> Sorry, I keep forgetting this, you need to clear the cache with 'net >> cache flush' > > Ok, I made the switch but one more thing. As soon as I restart smb+nmb+winbind the "domain users" group has this id: > # getent group "domain users" > domain users:x:10513:That is what would be expected from this line in your smb.conf: idmap config LIGHT:range = 10000-700000 As you are using the 'rid' idmap backend, the groups Unix ID is calculated like this: ID = RID + LOW_RANGE_ID which becomes: 10513 = 513 + 10000> after a few seconds, the ID is "restored" to the wrong one: > # getent group "domain users" > domain users:x:700009:That shouldn't happen, can you post the contents of /etc/nsswitch.conf ? Try stopping Samba, run 'net cache flush' and then restart Samba again. Is anything else running ? sssd, nlscd or similar ? The only other thing that I can think of is, is your AD domains NETBIOS domain name something other than 'LIGHT' ? Rowland
>> after a few seconds, the ID is "restored" to the wrong one: >> # getent group "domain users" >> domain users:x:700009: > > That shouldn't happen, can you post the contents of /etc/nsswitch.conf ? > > Try stopping Samba, run 'net cache flush' and then restart Samba again. > > Is anything else running ? sssd, nlscd or similar ? > > The only other thing that I can think of is, is your AD domains NETBIOS > domain name something other than 'LIGHT' ?I restore this old thread because those "tdb" ids popped up again. To recap, in order to get rid of the wrong tdb ids I: * changed all files on disk with find -gid TDB_UID chown RID_UID {} \; * net cache flush * rebooted Everything was fine, but eventually it wasn't totally correct. I found a similar problem on SO [1], and they suggest to: service winbind stop service smb stop net cache flush rm -f /var/lib/samba/*.tdb rm -f /var/lib/samba/group_mapping.ldb service smb start service winbind start Some further comments report a new "join" is required before restarting services. Can this be a correct approach? Thanks [1]?https://serverfault.com/a/505700/102716 -- Lorenzo Milesi - lorenzo.milesi at yetopen.com CTO @ YetOpen Srl Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.