Domain Users group with multiple gid

Fonte: ARDITI - WIKI
Saltar para a navegação Saltar para a pesquisa

There are some issues with Samba access to certain shares, because there seems to be 2 different gid for group "Domain Users", gid 1901 and gid 2513.

This problem existed since upgrade to 4.0, however a workaround solved the problem. Since the problem came back after upgrade to 5.0, it needed a definite fix. 

# wbinfo --gid-info 2513
ARDITI\domain users:x:2513:

# wbinfo --gid-info 1901
ARDITI\domain users:x:1901:

# wbinfo --gid-to-sid=1901
S-1-5-21-1969551146-1524703261-742246316-513

# wbinfo --gid-to-sid=2513
S-1-5-21-1969551146-1524703261-742246316-513

# wbinfo --sid-to-gid=S-1-5-21-1969551146-1524703261-742246316-513
2513

Looking at the bug: https://bugzilla.samba.org/show_bug.cgi?id=13054#

If I run: 

# net cache flush"

# wbinfo --group-info="domain users"
ARDITI\domain users:x:2513:

all seems "correct" (gID 2513 is shown), but if do any query with the gID 1901, such as: 

# wbinfo --gid-info 1901
ARDITI\domain users:x:1901:

then I get the following: 

# wbinfo --group-info="domain users"
ARDITI\domain users:x:1901:

This confirms the problem referred in the bug stated above. The gid 2513 is the correct one, so it is required to delete 1901.

Edit idmap.ldb and delete record with gid 1901 

# ldbedit -e vi -H /var/lib/samba/private/idmap.ldb

search for 1901 and delete the whole record: 

# record 133
dn: CN=S-1-5-21-1969551146-1524703261-742246316-513
cn: S-1-5-21-1969551146-1524703261-742246316-513
objectClass: sidMap
objectSid: S-1-5-21-1969551146-1524703261-742246316-513
type: ID_TYPE_GID
xidNumber: 1901
distinguishedName: CN=S-1-5-21-1969551146-1524703261-742246316-513

write and exit. 

GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
# 0 adds  0 modifies  1 deletes

flush net cache: 

# net cache flush

Clean remnants of wrong user / group permissions on directory and files. Group 1901 – this was the initial “domain users” group which gid has been changed 

# find / -gid 1901 -exec chgrp 2513 {} \;

As for ACL just remove 1901: 

# cd /home
# setfacl -R -d -x g:1901 *
# setfacl -R -x g:1901 *
Obtida de "https://wiki.arditi.pt/index.php?title=Domain_Users_group_with_multiple_gid&oldid=377"