Web lists-archives.com

Re: [Samba] Domain Users group with multiple gid




Às 13:51 de 08-04-2018, Rowland Penny escreveu:
On Sun, 8 Apr 2018 13:22:28 +0100
Clemente Aguiar via samba <samba@xxxxxxxxxxxxxxx> wrote:

The samba was created by Zentyal system (http://www.zentyal.org).

Here is smb.conf:

[global]
      workgroup = arditi
      realm = ARDITI.PT
      netbios name = hera
      server string = Zentyal Server
      server role = dc
      server role check:inhibit = yes
      server services = -dns
      server signing = auto
      dsdb:schema update allowed = yes
      ldap server require strong auth = no
      drs:max object sync = 1200

      idmap_ldb:use rfc2307 = yes

      winbind enum users = yes
      winbind enum groups = yes
      template shell = /bin/bash
      template homedir = /home/%U

      interfaces = lo,eth0
      bind interfaces only = yes

      map to guest = Bad User

      log level = 3
      log file = /var/log/samba/samba.log
      max log size = 100000

      include = /etc/samba/shares.conf

[netlogon]
      path = /var/lib/samba/sysvol/arditi.pt/scripts
      browspid_to_procid: messaging_dgm_get_unique failed: No such file or directoryeable = no
      read only = yes

[sysvol]
      path = /var/lib/samba/sysvol
      read only = no
It is running as an AD DC and the IDs you showed are not in the
'3000000' range, so this means one of two things, either idmap.ldb has
been messed with (not recommended) or the users and groups have been
given uidNumber and gidNumber attributes (with very low numbers, again
not recommended).
I think it is more likely to be the later and if so, there is a bug for
this: https://bugzilla.samba.org/show_bug.cgi?id=13054#

Rowland
Rowland,

Thank you for the quick answer.

The thing is that this Zentyal server is a few years old and has been through a few upgrades. In the begging Zentyal was based Samba3 + OpenLDAP (if I am not mistaken), and eventually changed to Samba4. The new users and groups have IDs in the '3000000' range, but old users and groups have IDs in the '2000' range. So I think the low IDs are remnants of the old version which where kept even though the system was upgraded. And I think that the double gID for users is also related to remnants of the old system and the successive upgrades.

1)

You mentioned that uidNumber and gidNumber attributes with very low numbers are not recommended.
Is there anything I can do about that at this point in time?

2)

I looked at the bug you sent and and the behaviour is similar.

If I run:

# net cache flush"

all seems "correct" (gID 2513 is shown),

# wbinfo --group-info="domain users"
ARDITI\domain users:x:2513:

but if do any query with the gID 1901, such as:

# wbinfo --gid-info 1901
ARDITI\domain users:x:1901:

then I get the following:

# wbinfo --group-info="domain users"
ARDITI\domain users:x:1901:

I can I fix this "permanently", i.e get rid of second gID (1901)?

Thanks





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba