[I'm afraid $customer made me anonymize their rootdn, user and group
names, so the ones below are made up. Hopefully I haven't introduced
any errors in the process.]
I'm running Debian 7 with samba 4.0.9dfsg1-1 built from
git://git.debian.org/pkg-samba/samba. I'm using samba as an AD DC,
with accounts migrated from a samba3/slapd stack using samba-tool
domain classicupgrade.
What I find confusing is that there are groups in samba -- as
confirmed by samba-tool group list, ldapsearch and wbinfo -g -- that
are not reported by getent groups (glibc's nss query tool). Further,
getent groups can reverse-resolve GIDs into the missing groups.
# samba-tool group list | sort
Account Operators
Administrators
Allowed RODC Password Replication Group
Backup Operators
Cert Publishers
Certificate Service DCOM Access
Cryptographic Operators
Denied RODC Password Replication Group
Distributed COM Users
DnsAdmins
DnsUpdateProxy
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Enterprise Read-Only Domain Controllers
Event Log Readers
Group Policy Creator Owners
Guests
IIS_IUSRS
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Pre-Windows 2000 Compatible Access
Print Operators
RAS and IAS Servers
Read-Only Domain Controllers
Remote Desktop Users
Replicator
Schema Admins
Server Operators
Terminal Server License Servers
Users
Windows Authorization Access Group
abakan
directors
fb
fbadmin
fbproducts
fbserver2
mgmt
public
robobobo
subversion
welles
welles_m
# wbinfo -g | sort
DnsUpdateProxy
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Enterprise Read-Only Domain Controllers
Group Policy Creator Owners
Read-Only Domain Controllers
Schema Admins
abakan
directors
fb
fbadmin
fbproducts
fbserver2
mgmt
public
robobobo
subversion
welles
welles_m
# ldapsearch -I -LLL
objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=fb,DC=frobozz,dc=com,dc=au
dn | sed -r 's/dn: CN=([^,]+).*/\1/p' | sort
<tion,dc=com,dc=au dn | sed -rn 's/dn: CN=([^,]+).*/\1/p' | sort -u
SASL/NTLM authentication started
SASL Interaction
Default: root
Please enter your authentication name: cyber
Please enter your password:
SASL username: cyber
SASL SSF: 0
Account Operators
Administrators
Allowed RODC Password Replication Group
Backup Operators
Cert Publishers
Certificate Service DCOM Access
Cryptographic Operators
Denied RODC Password Replication Group
Distributed COM Users
DnsAdmins
DnsUpdateProxy
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Enterprise Read-only Domain Controllers
Event Log Readers
Group Policy Creator Owners
Guests
IIS_IUSRS
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Pre-Windows 2000 Compatible Access
Print Operators
RAS and IAS Servers
Read-only Domain Controllers
Remote Desktop Users
Replicator
Schema Admins
Server Operators
Terminal Server License Servers
Users
Windows Authorization Access Group
abakan
directors
fb
fbadmin
fbproducts
fbserver2
mgmt
public
robobobo
subversion
welles
welles_m
# getent group | grep \\\\ | sort
FB\Domain Admins:*:512:
FB\Domain Computers:*:515:
FB\Domain Controllers:*:3000175:
FB\Domain Guests:*:514:
FB\Domain Users:*:513:
FB\Enterprise Admins:*:3000006:
FB\Enterprise Read-Only Domain Controllers:*:3000174:
FB\Group Policy Creator Owners:*:3000004:
FB\Read-Only Domain Controllers:*:3000176:
FB\Schema Admins:*:3000007:
FB\directors:*:1016:
FB\fbadmin:*:1017:
FB\robobobo:*:1018:
FB\subversion:*:1002:
This is the worst one -- it only reverse-resolves:
# getent group fb
# getent group FB\\fb
# getent group | grep fb:
# getent group 1019
FB\fb:*:1019:
#
This one forward and reverse-resolves, but isn't listed by default:
# getent group welles
FB\welles:*:5029:
# getent group FB\\welles
FB\welles:*:5029:
# getent group | grep welles:
# getent group 5029
FB\welles:*:5029:
#
I can't understand why wbinfo and nss_windbind would give different
results. The cn=fb and cn=robobobo objects, for example, look pretty
much alike -- it's not something as obvious as objectClass: posixGroup
in one and other the other.
dn: CN=fb,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
cn: fb
instanceType: 4
whenCreated: 20131008002306.0Z
uSNCreated: 3812
name: fb
objectGUID:: iuv8UXOqlEqVZaMPoXMzNQ==
objectSid:: AQUAAAAAAAUVAAAAq+hW2qxp0+SENVq93wsAAA==
sAMAccountName: fb
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=fb,DC=frobozz,DC=com,DC=au
gidNumber: 1019
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: fb
whenChanged: 20131008002625.0Z
member: CN=sita,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
member: CN=rama,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
member: CN=hanuman,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
uSNChanged: 5153
distinguishedName: CN=fb,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
dn: CN=robobobo,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
cn: robobobo
instanceType: 4
whenCreated: 20131008002305.0Z
uSNCreated: 3808
name: robobobo
objectGUID:: jNBaJ4w5SEODz8vkYTAw5w==
objectSid:: AQUAAAAAAAUVAAAAq+hW2qxp0+SENVq93QsAAA==
sAMAccountName: robobobo
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=fb,DC=frobozz,DC=com,DC=au
gidNumber: 1018
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: fb
whenChanged: 20131008002535.0Z
member: CN=sita,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
member: CN=rama,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
uSNChanged: 4951
distinguishedName: CN=robobobo,CN=Users,DC=fb,DC=frobozz,DC=com,DC=au
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
