samba - Mar 2023 - rid backend special group handling

Rowland Penny via samba <samba at lists.samba.org>
> > What confuses me is the "BUILTIN\users" group. Now with
command "id
> > my-account" I can see my account also belongs to the
"BUILTIN\users"
> > group.
> > and the group id is "1000032" which is outside my new
configuration range.
> > I didn't see that group under rfc2307 backend before. but I know
the
> > "1000032" id comes from my old config, which has "idmap
config *:range
> > = 1000000-1999999".
>
> It was probably coming from the winbind cache and should have bee
> cleared by running 'net cache flush' or by restarting Samba, or at
the
> worst, rebooting.
    I use tdbdump to scan every tdb file, and found the "1000032" id
only exists at gencache.tdb.
"net cache flush" will flush the "gencache.tdb". but
"id my-account"
will bring back the ghost "1000032" again.
>
> > After some trying I finally got rid of "1000032" by deleting
> > "group_mapping.tdb" and let samba recreate it to get the new
id under
> > "5000-9999".
>
> I cannot recommend deleting files like that.
   Yes I hope not to delete it. but I can not find other ways to
rebuild the id map correctly.
maybe there is some command to rebuild it?
> NOTE: just as an aside, because you are now using the rid idmap backend,
> you now have synthetic usergroups, the user 'fred' will have a
group
> called 'fred'.
> Try it: 'getent group fred'
   thanks a lot of the note. now I notice the behavior. I didn't know it
before.
> The BUILTIN domain is fairly small and is handled by the default domain
> '*' and ID's are allocated from the range set in smb.conf.
These ID's
> are not guaranteed to be the same on each Unix domain member, which
> isn't a problem because they are only used for administrative purposes.
> The default domain is meant for the BUILTIN domain and anything that
> isn't in the main 'SAMDOM', which is why everything ends up in
the
> default domain if you really mess up the main domain.
   so you mean just ignore them since we don't use it under linux.
I am curious what groups are mapped. the group_mapping.tdb only has
three sid:S-1-5-32-{544,545,546}

On 01/03/2023 16:26, d tbsky via samba wrote:
> Rowland Penny via samba <samba at lists.samba.org>
>>> What confuses me is the "BUILTIN\users" group. Now with
command "id
>>> my-account" I can see my account also belongs to the
"BUILTIN\users"
>>> group.
>>> and the group id is "1000032" which is outside my new
configuration range.
>>> I didn't see that group under rfc2307 backend before. but I
know the
>>> "1000032" id comes from my old config, which has
"idmap config *:range
>>> = 1000000-1999999".
>>
>> It was probably coming from the winbind cache and should have bee
>> cleared by running 'net cache flush' or by restarting Samba, or
at the
>> worst, rebooting.
> 
>      I use tdbdump to scan every tdb file, and found the
"1000032" id
> only exists at gencache.tdb.
> "net cache flush" will flush the "gencache.tdb". but
"id my-account"
> will bring back the ghost "1000032" again.
Strange, did you restart samba or reload the config with smbcontrol 
after making the changes to smb.conf ?
> 
>>
>>> After some trying I finally got rid of "1000032" by
deleting
>>> "group_mapping.tdb" and let samba recreate it to get the
new id under
>>> "5000-9999".
>>
>> I cannot recommend deleting files like that.
> 
>     Yes I hope not to delete it. but I can not find other ways to
> rebuild the id map correctly.
> maybe there is some command to rebuild it?
Not that I haven't mentioned already.
> 
>> NOTE: just as an aside, because you are now using the rid idmap
backend,
>> you now have synthetic usergroups, the user 'fred' will have a
group
>> called 'fred'.
>> Try it: 'getent group fred'
> 
>     thanks a lot of the note. now I notice the behavior. I didn't know
it before.
> 
>> The BUILTIN domain is fairly small and is handled by the default domain
>> '*' and ID's are allocated from the range set in smb.conf.
These ID's
>> are not guaranteed to be the same on each Unix domain member, which
>> isn't a problem because they are only used for administrative
purposes.
>> The default domain is meant for the BUILTIN domain and anything that
>> isn't in the main 'SAMDOM', which is why everything ends up
in the
>> default domain if you really mess up the main domain.
> 
>     so you mean just ignore them since we don't use it under linux.
> I am curious what groups are mapped. the group_mapping.tdb only has
> three sid:S-1-5-32-{544,545,546}
> 
Well, ignore them as in do not attempt to use them directly from Samba 
yourself, Samba will use them under the hood when required.

Rowland