On Tue, 2024-06-18 at 12:38 +0100, Rowland Penny via samba
wrote:> On Tue, 18 Jun 2024 13:24:00 +0200
> PaLi via samba <samba at lists.samba.org> wrote:
>
> > On Tue, 2024-06-18 at 06:24 +0100, Rowland Penny via samba wrote:
> > > On Mon, 17 Jun 2024 22:29:26 +0200
> > > Pavel Lis? via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hello
> > > >
> > > > I have testing environment with 2 DC servers and 2 member
> > > > servers.
> > > > There is one thing which I don't understand.
> > > >
> > > > On DC "Domain Users" group shows different gid
> > > >
> > > > for "samba-tool" there is GID 513 in LDAP
> > > > but "getent group" or "getent passwd"
shows 100
> > > >
> > > > $ sudo samba-tool group show 'domain users'
> > > > dn: CN=Domain Users,CN=Users,DC=office,DC=company,DC=com
> > > > objectClass: top
> > > > objectClass: group
> > > > cn: Domain Users
> > > > description: All domain users
> > > > instanceType: 4
> > > > whenCreated: 20240520145130.0Z
> > > > uSNCreated: 3885
> > > > name: Domain Users
> > > > objectGUID: 72200ac6-12aa-4da5-b3bf-3df97371fd36
> > > > objectSid: S-1-5-21-716648387-301587334-1432759742-513
> > > > sAMAccountName: Domain Users
> > > > sAMAccountType: 268435456
> > > > groupType: -2147483646
> > > > objectCategory:
> > > >
CN=Group,CN=Schema,CN=Configuration,DC=office,DC=company,DC=com
> > > > isCriticalSystemObject: TRUE
> > > > memberOf: CN=Users,CN=Builtin,DC=office,DC=company,DC=com
> > > > gidNumber: 513
> > > > whenChanged: 20240615165133.0Z
> > > > uSNChanged: 4608
> > > > distinguishedName: CN=Domain
> > > > Users,CN=Users,DC=office,DC=company,DC=com
> > > >
> > > >
> > > >
> > > > $ getent group | grep -i users
> > > > users:x:100:
> > > > BUILTIN\users:x:3000009:
> > > > BUILTIN\remote desktop users:x:3000023:
> > > > BUILTIN\performance monitor users:x:3000026:
> > > > BUILTIN\performance log users:x:3000027:
> > > > BUILTIN\distributed com users:x:3000030:
> > > > OFFICE\domain users:x:100:
> > > > OFFICE\protected users:x:3000043:
> > > >
> > > > $ getent group
> > > >
OFFICE\administrator:*:0:100::/home/OFFICE/administrator:/bin/b
> > > > ash
> > > > OFFICE\guest:*:3000011:3000012::/home/OFFICE/guest:/bin/bash
> > > > OFFICE\krbtgt:*:3000015:100::/home/OFFICE/krbtgt:/bin/bash
> > > >
OFFICE\dhcpduser:*:3000016:100::/home/OFFICE/dhcpduser:/bin/bas
> > > > h
> > > > OFFICE\koksy:*:3001:100::/home/OFFICE/koksy:/bin/bash
> > > > OFFICE\lupo:*:3002:100::/home/OFFICE/lupo:/bin/bash
> > > >
> > > > How it could be possible?
> > > >
> > > > Pavel
> > >
> > > I am fairly sure what is going on here, but to confirm it, can
> > > you
> > > please post the output of 'samba-tool testparm' when run
on the
> > > DCs
> > > (both of them) and the output of 'testparm -s' when run
on the
> > > Unix
> > > domain members (if they are both the same, we only need one).
> > I'm not able to send it now as I have test env on different
> > computer,
> > I will send it later today.
> >
> > But to be clear, all listings above are from first DC?only
> >
> > I don't have problems with members, as on them I can configure
> > winbind
> > and it seems to react correctly to changes.
> >
> > Pavel
> >
> >
>
> I need to see the information I asked for, that way I can give a
> definitive answer, but what I can say is that using the RID for
> Domain
> Users as its gidNumber isn't a good idea.
>
> Rowland
on DC - dc31:
-------------
$ sudo samba-tool testparm
INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
packages/samba/netcmd/testparm.py #96: Loaded smb config files from
/etc/samba/smb.conf
INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
packages/samba/netcmd/testparm.py #97: Loaded services file OK.
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = Yes
dns forwarder = 127.0.0.53
interfaces = lo enp1s0
netbios name = DC31
realm = OFFICE.COMPANY.COM
server role = active directory domain controller
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
workgroup = OFFICE
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/office.company.com/scripts
read only = No
[homes]
comment = Home Directories
inherit acls = Yes
read only = No
valid users = %S %D%w%S
on DC - dc31:
-------------
$ sudo testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
fallback)
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
bind interfaces only = Yes
dns forwarder = 127.0.0.53
interfaces = lo enp1s0
passdb backend = samba_dsdb
realm = OFFICE.COMPANY.COM
server role = active directory domain controller
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
workgroup = OFFICE
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/office.company.com/scripts
read only = No
[homes]
comment = Home Directories
inherit acls = Yes
read only = No
valid users = %S %D%w%S
on member - smbubu48:
---------------------
$ sudo samba-tool testparm
INFO 2024-06-12 17:11:33,740 pid:29617 /usr/lib/python3/dist-
packages/samba/netcmd/testparm.py #96: Loaded smb config files from
/etc/samba/smb.conf
INFO 2024-06-12 17:11:33,741 pid:29617 /usr/lib/python3/dist-
packages/samba/netcmd/testparm.py #97: Loaded services file OK.
Press enter to see a dump of your service definitions
# Global parameters
[global]
log level = 0
netbios name = SMBUBU48
realm = OFFICE.COMPANY.COM
security = DOMAIN
server role = member server
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
winbind rpc only = Yes
winbind use default domain = Yes
workgroup = OFFICE
idmap config office : unix_primary_group = yes
idmap config office : unix_nss_info = yes
idmap config office : range = 1000-9999
idmap config office : schema_mode = rfc2307
idmap config office : backend = ad
idmap config * : range = 10000-19999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
[homes]
comment = Home Directories
inherit acls = Yes
read only = No
valid users = %S %D%w%S
on member - smbubu48:
---------------------
sudo testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
fallback)
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
kdc enable fast = No
realm = OFFICE.COMPANY.COM
security = DOMAIN
server role = member server
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
winbind rpc only = Yes
winbind use default domain = Yes
workgroup = OFFICE
idmap config office : unix_primary_group = yes
idmap config office : unix_nss_info = yes
idmap config office : range = 1000-9999
idmap config office : schema_mode = rfc2307
idmap config office : backend = ad
idmap config * : range = 10000-19999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
[homes]
comment = Home Directories
inherit acls = Yes
read only = No
valid users = %S %D%w%S
that's all
Pavel