similar to: getent group does not list domain groups - question regarding default gidNumbers on PDC

On 6/5/19 10:06 AM, Rowland penny via samba wrote: >> >> Now I have problems with id mapping configuration: >> >> wbinfo -u works. >> wbinfo -g works. >> getent group does not list domain users and groups. >> >> I logged into PDC and checked gidNumber for "Domain Users": >> >> [root at site-ad ~]# wbinfo --name-to-sid

On 6/5/19 11:26 AM, Rowland penny via samba wrote: > On 05/06/2019 10:04, ?ukasz Michalski via samba wrote: >> >>>> >>>> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-513 >>>> 985 (same as 'users' unix gid on host) >>> where did the '985' come from ? >> >> I think from there:

On 05/06/2019 08:32, Łukasz Michalski via samba wrote: > Hi List, > > I am trying to setup samba PDC and samba file server for a small > organization. No you are not, you are setting up a Samba AD DC, a PDC is something entirely different. > I followed guidelines on samba wiki and Arch Linux wiki. > > I have two servers (10.21.0.2 PDC and 10.21.0.1 (file server) both >

On 05/06/2019 10:04, ?ukasz Michalski via samba wrote: > >>> >>> [root at site-ad ~]# wbinfo --sid-to-gid >>> S-1-5-21-4155694911-3186826046-1573605777-513 >>> 985 (same as 'users' unix gid on host) >> where did the '985' come from ? > > I think from there: > > [root at site-ad ~]# ldbsearch -H

On 05/06/2019 10:44, ?ukasz Michalski via samba wrote: > On 6/5/19 11:26 AM, Rowland penny via samba wrote: >> On 05/06/2019 10:04, ?ukasz Michalski via samba wrote: >>> >>>>> >>>>> [root at site-ad ~]# wbinfo --sid-to-gid >>>>> S-1-5-21-4155694911-3186826046-1573605777-513 >>>>> 985 (same as 'users' unix gid on

>> >> Dunno, I just run: >> >> samba-tool domain provision --use-rfc2307 --interactive >> >> I did not touch ldap databases by hand afterwards. >> >> Regards, >> ?ukasz >> >> >> > Someone did, because the xidNumber for Domain Users is set to '100' by default. > > If you didn't change it, then change the

Greetings, All! I've discovered a nasty mismatch in my recently upgraded domain. It seems that a number of builtin groups have mappings in idmap.ldb that overlap with posixAccount mappings in the sam.ldb. Namely, # file: var/lib/samba/sysvol/ads.example.com/scripts/ # owner: root # group: 544 user::rwx user:root:rwx group::rwx group:544:rwx group:30000:r-x group:30001:rwx

I've got this on the backup DC root at bdc:~# wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516 3000000 while root at bdc:~# ldbedit -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-1166961617-3197558402-3341820450-516 shows correct xid 3000019 and on the primary DC I've got itk at dc:/$ wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516 3000019

On 6/19/2020 10:00 AM, Rowland penny via samba wrote: > > The easiest way is to upgrade to 4.12.x and then use '_*samba-tool > group addunixattrs*_', otherwise you could use ldbedit or create an > ldif and use ldbmodify or ldapmodify. Another option would be to use > something like LAM. > > Rowland Sorry, but, there is what you told me to do in your first email

17.07.2015, 17:30, "Rowland Penny" <rowlandpenny241155 at gmail.com>: > On 17/07/15 12:03, Andrej Surkov wrote: >>  I've got this on the backup DC >> >>  root at bdc:~# wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516 >>  3000000 > > OK, you have problems there, but not what you think. On my first DC > (note I don't have

On 6/19/2020 1:55 PM, Rowland penny via samba wrote: > ldbsearch -H /var/lib/samba/private/sam.ldb '(gidNumber=*)' | grep > 'gidNumber:' | sed 's/gidNumber: //' | sort | tail -n1 > > Add 1 to the output and use that. > > Rowland This is a newly setup DC and member server (both Debian 10.4 w/Samba v4.12.3). I got: root at dc01:~# ldbsearch -H

On Thu, 26 Jan 2017 21:54:49 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Thu, 26 Jan 2017 16:26:02 -0500 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > On Thu, 26 Jan 2017 19:36:33 +0000 Rowland Penny wrote: > > > > > Have you tried checking in AD with ldbsearch or ldbedit for the > > > > > actual

On 8/17/2020 7:59 AM, Rowland penny via samba wrote: > Could it be that 'username' doesn't have a uidNumber ? > > Well, when I run "id [username]" on the DC, I get a "uid=3000013(SUBDOM\[username])" and"gid=10000", etc. When I run "id [username]" on the member server (mbr04) I get "id: 'SUBDOM\[username]': no such

Am 07.06.2019 um 17:48 schrieb Rowland penny via samba: > On 07/06/2019 16:37, ?ukasz Michalski via samba wrote: >> On 05.06.2019 22:40, Rowland penny via samba wrote: >>>> >>>> https://lists.samba.org/archive/samba/2019-June/223478.html >>>> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a >>>> gidNumber

On 26.10.2015 23:03, Rowland Penny wrote: > On 26/10/15 21:38, Viktor Trojanovic wrote: >> I joined a Samba AD member server (file server) to a Samba AD DC. >> This seems to have worked. However, if I try to access the file >> server from the domain administrator account on a Windows client, I >> am asked to provide authorization details. Since I have no other

Hi, I just want to add a linux machine to my samba 4 ad. Its a debian stretch and I installed the following packages:apt-get install winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user samba attr ... My machine-configs: nsswitch.conf: passwd: files winbind group: files winbind shadow: compat gshadow:files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname

On Wed, 26 Oct 2016 17:27:37 -0400 Ryan Ashley via samba <samba at lists.samba.org> wrote: > I guess I should note that it seems like the high SIDs will resolve, > except for 300000. Below is an example. > > root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/ > total 16 > drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies > drwxrws---+ 2 MEDARTS\reachfp

On 1/13/2017 3:30 PM, Rowland Penny wrote: > On Fri, 13 Jan 2017 15:20:52 -0500 > Bob Thomas <bthomas at cybernetics.com> wrote: > >> On 1/13/2017 1:45 PM, Rowland Penny wrote: >>> On Fri, 13 Jan 2017 13:30:14 -0500 >>> Bob Thomas <bthomas at cybernetics.com> wrote: >>> >>>> Rowland, >>>>>> Thank you for the quick

On 27.10.2015 09:05, Rowland Penny wrote: > On 26/10/15 22:35, Viktor Trojanovic wrote: >> >> >> On 26.10.2015 23:03, Rowland Penny wrote: >>> On 26/10/15 21:38, Viktor Trojanovic wrote: >>>> I joined a Samba AD member server (file server) to a Samba AD DC. >>>> This seems to have worked. However, if I try to access the file >>>>

> Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a group and a user. I looked on a brand new test DC (with nss-winbind), and it looks like it doesn't work right with winbind: root at dc1# ls -l /var/lib/samba/sysvol/ad-test.vx/Policies/ total 16 drwxrwx---+ 4 3000004 ADTEST\domain admins 4096 Jun 13 21:41 {31B2F340-016D-11D2-945F-00C04FB984F9}