samba - Aug 2024 - winbind gives wrong primary id group

Hello,

I have fresh instalation samba 4.17.12+dfsg from apt on Debian 12.

I made new domain ADS2
(https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller).
root at dc-ads2:/etc/samba# samba-tool domain provision --use-rfc2307
--realm=ADS2.SES.SK --domain=ads2 --server-role=dc --dns-backend=BIND9_DLZ
--adminpass=XXXXXXX

In the future, I want to use IDMAP = ad, but for simplicity, I'm currently
using tdb.

File /etc/samba/smb.conf:

[global]
        netbios name = DC-ADS2
        realm = ADS2.SES.SK
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = ADS2

        idmap_ldb:use rfc2307 = yes

        template homedir = /home/%D/%U
        template shell = /bin/bash

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/ads2.ses.sk/scripts
        read only = No


After provisioning, there is only one user - administrator.
The command wbinfo displays the following information about the administrator:
root at dc-ads2:/tmp# wbinfo -i administrator
ADS2\administrator:*:0:100::/home/ADS2/administrator:/bin/bash

root at dc-ads2:/tmp# id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000006(ADS2\schema
admins),3000007(ADS2\enterprise admins),3000004(ADS2\domain
admins),3000008(ADS2\group policy creator owners),3000005(ADS2\denied rodc
password replication
group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)


Question 1:
Administrator has primaryGroupID = 513 (Domain users). Where, in which file or
directive, is the group 'Domain Users' mapped to the Linux group
'Users (100)'?


I created a new group called IT4.
root at dc-ads2:/tmp# samba-tool group add IT4 --gid-number=2004
--nis-domain=ads2 --group-scope=Global  --group-type=Security
--description=DomainUnixGroup
Added group IT4

I created a new user called john4.
root at dc-ads2:/tmp# samba-tool user create john4 Skuska. --uid=john4
--uid-number=3004 --gid-number=2004 --given-name=John4 --surname=Wick
--department=IT4 --script-path=IT4.bat
User 'john4' added successfully

root at dc-ads2:/tmp# wbinfo  -i john4
ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
root at dc-ads2:/tmp# id john4
uid=3004(ADS2\john4) gid=100(users) groups=100(users),3000009(BUILTIN\users)


I added the user john4 to the group IT4:
root at dc-ads2:/tmp# samba-tool group addmembers IT4 john4
Added members to group IT4

I changed the user's primary group to the previously created group IT4.
root at dc-ads2:/tmp# samba-tool user setprimarygroup john4 IT4
Changed primary group to 'IT4'

The attributes of the user john4 are now:
dn: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: John4 Wick
sn: Wick
givenName: John4
instanceType: 4
whenCreated: 20240823105419.0Z
displayName: John4 Wick
uSNCreated: 4180
department: IT4
name: John4 Wick
objectGUID: 55fb6813-1f12-4955-b009-6840ae0f370b
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: IT4.bat
objectSid: S-1-5-21-3810246146-2675359531-1496275737-1111
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: john4
sAMAccountType: 805306368
userPrincipalName: john4 at ads2.ses.sk<mailto:john4 at ads2.ses.sk>
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ads2,DC=ses,DC=sk
uid: john4
uidNumber: 3004
gidNumber: 2004
pwdLastSet: 133688840595194710
userAccountControl: 512
memberOf: CN=Domain Users,CN=Users,DC=ads2,DC=ses,DC=sk
primaryGroupID: 1110
whenChanged: 20240823105847.0Z
uSNChanged: 4187
distinguishedName: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk

wbinfo and id now provide the following information:
root at dc-ads2:/tmp# wbinfo -i john4
ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
root at dc-ads2:/tmp# id john4
uid=3004(ADS2\john4) gid=100(users)
groups=100(users),2004(ADS2\it4),3000009(BUILTIN\users)

Question 2:
john4 has had its primaryGroupID changed to 1110 (IT4). Why hasn't the
primary group changed in the wbinfo output?

I logged in to Linux as john4 through another terminal (PuTTY)."

And now, wbinfo and id start showing different values (the ones I want).
root at dc-ads2:/tmp# wbinfo -i john4
ADS2\john4:*:3004:2004:John4 Wick:/home/ADS2/john4:/bin/bash
root at dc-ads2:/tmp# id john4
uid=3004(ADS2\john4) gid=2004(ADS2\it4)
groups=2004(ADS2\it4),100(users),3000009(BUILTIN\users)

Question 3:
Why does the primary group change when I log in interactively? How can I
configure Samba/Winbind to provide the correct values without needing to log in?


Thanks in advance
Ivan Novosad

On Fri, 23 Aug 2024 11:58:35 +0000
Ivan Novosad via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I have fresh instalation samba 4.17.12+dfsg from apt on Debian 12.
> 
> I made new domain ADS2
>
(https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller).
> root at dc-ads2:/etc/samba# samba-tool domain provision --use-rfc2307
> --realm=ADS2.SES.SK --domain=ads2 --server-role=dc
> --dns-backend=BIND9_DLZ --adminpass=XXXXXXX
> 
> In the future, I want to use IDMAP = ad, but for simplicity, I'm
> currently using tdb.
> 
> File /etc/samba/smb.conf:
> 
> [global]
>         netbios name = DC-ADS2
>         realm = ADS2.SES.SK
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = ADS2
> 
>         idmap_ldb:use rfc2307 = yes
> 
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/ads2.ses.sk/scripts
>         read only = No
> 
> 
> After provisioning, there is only one user - administrator.
> The command wbinfo displays the following information about the
> administrator: root at dc-ads2:/tmp# wbinfo -i administrator
> ADS2\administrator:*:0:100::/home/ADS2/administrator:/bin/bash
> 
> root at dc-ads2:/tmp# id administrator
> uid=0(root) gid=100(users)
> groups=0(root),100(users),3000006(ADS2\schema
> admins),3000007(ADS2\enterprise admins),3000004(ADS2\domain
> admins),3000008(ADS2\group policy creator owners),3000005(ADS2\denied
> rodc password replication
> group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
> 
> 
> Question 1:
> Administrator has primaryGroupID = 513 (Domain users). Where, in
> which file or directive, is the group 'Domain Users' mapped to the
> Linux group 'Users (100)'?
> 
> 
> I created a new group called IT4.
> root at dc-ads2:/tmp# samba-tool group add IT4 --gid-number=2004
> --nis-domain=ads2 --group-scope=Global  --group-type=Security
> --description=DomainUnixGroup Added group IT4
> 
> I created a new user called john4.
> root at dc-ads2:/tmp# samba-tool user create john4 Skuska. --uid=john4
> --uid-number=3004 --gid-number=2004 --given-name=John4 --surname=Wick
> --department=IT4 --script-path=IT4.bat User 'john4' added
successfully
> 
> root at dc-ads2:/tmp# wbinfo  -i john4
> ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
> root at dc-ads2:/tmp# id john4
> uid=3004(ADS2\john4) gid=100(users)
> groups=100(users),3000009(BUILTIN\users)
> 
> 
> I added the user john4 to the group IT4:
> root at dc-ads2:/tmp# samba-tool group addmembers IT4 john4
> Added members to group IT4
> 
> I changed the user's primary group to the previously created group
> IT4. root at dc-ads2:/tmp# samba-tool user setprimarygroup john4 IT4
> Changed primary group to 'IT4'
> 
> The attributes of the user john4 are now:
> dn: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: John4 Wick
> sn: Wick
> givenName: John4
> instanceType: 4
> whenCreated: 20240823105419.0Z
> displayName: John4 Wick
> uSNCreated: 4180
> department: IT4
> name: John4 Wick
> objectGUID: 55fb6813-1f12-4955-b009-6840ae0f370b
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> scriptPath: IT4.bat
> objectSid: S-1-5-21-3810246146-2675359531-1496275737-1111
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: john4
> sAMAccountType: 805306368
> userPrincipalName: john4 at ads2.ses.sk<mailto:john4 at ads2.ses.sk>
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=ads2,DC=ses,DC=sk uid: john4
> uidNumber: 3004
> gidNumber: 2004
> pwdLastSet: 133688840595194710
> userAccountControl: 512
> memberOf: CN=Domain Users,CN=Users,DC=ads2,DC=ses,DC=sk
> primaryGroupID: 1110
> whenChanged: 20240823105847.0Z
> uSNChanged: 4187
> distinguishedName: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
> 
> wbinfo and id now provide the following information:
> root at dc-ads2:/tmp# wbinfo -i john4
> ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
> root at dc-ads2:/tmp# id john4
> uid=3004(ADS2\john4) gid=100(users)
> groups=100(users),2004(ADS2\it4),3000009(BUILTIN\users)
> 
> Question 2:
> john4 has had its primaryGroupID changed to 1110 (IT4). Why hasn't
> the primary group changed in the wbinfo output?
> 
> I logged in to Linux as john4 through another terminal (PuTTY)."
> 
> And now, wbinfo and id start showing different values (the ones I
> want). root at dc-ads2:/tmp# wbinfo -i john4
> ADS2\john4:*:3004:2004:John4 Wick:/home/ADS2/john4:/bin/bash
> root at dc-ads2:/tmp# id john4
> uid=3004(ADS2\john4) gid=2004(ADS2\it4)
> groups=2004(ADS2\it4),100(users),3000009(BUILTIN\users)
> 
> Question 3:
> Why does the primary group change when I log in interactively? How
> can I configure Samba/Winbind to provide the correct values without
> needing to log in?
> 
> 
> Thanks in advance
> Ivan Novosad
Before we get carried away here, can I ask a few questions ?

Do you have experience of setting up the old classic NT4-style domains
(as in PDC's) ?

Why do you want to change the users primary group ?

Are you thinking of using the DC as a fileserver ? (which isn't
recommended).

Rowland