GID of the “Domain Users” resetting to 100 with a Samba AD DC


When you provision an Active Directory with Samba as a domain controller, you have an option to use RFC2307. While this allows you to control what Unix UID and GID numbers your users get and make sure these numbers will be consistent across all domain member servers running Samba, including the domain controllers themselves, you may run into an, err, interesting issue with the “Domain Users” group.

Say, you have specified the GID for the abovementioned group to be 10513. Good enough, but for some weird reason it keeps resetting itself to 100 on the domain controller. This s usually happens only on the first domain controller you have promoted in your domain. You may “reset” it to the correct GID number by issuing this command:

net cache flush

The problem is that after 2-15 minutes it will be back to 100. If you happen to use your domain controller for file storage as well (might be a good idea in the Windows world – in the case where you only have a single Windows server that has to do all the things; a bad idea in the free software world where no licensing fees apply and containers/jails exist), this might be annoying – if a specific shared folder has permissions set that allow access to the “Domain Users” group, and the GID number was correct at the moment when those permissions were applied, the permissions won’t have any effect as soon as the GID number becomes 100 again. On other machines, GID will still be 10513, however, messing things up further if you happen to use NFS in addition to CIFS.

To solve this issue, you first need the SID of the “Domain Users” group in your specific domain. You may determine it with this command:

wbinfo -n "Domain Users"

Something in line with this will show up:

S-1-5-21-267120627-318859806-3577012832-513 SID_DOM_GROUP (2)

Now, SID starts with S- and ends with -513. Now, enter this command, replacing the SID with what you have:

ldbedit -e nano -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-267120627-318859806-3577012832-513

You might have to also replace the location of the idmap.ldb file – this is the location used in Ubuntu/Debian systems.

The nano editor will open with these contents:

# editing 1 records
# record 1
dn: CN=S-1-5-21-267120627-318859806-3577012832-513
cn: S-1-5-21-267120627-318859806-3577012832-513
objectClass: sidMap
objectSid: S-1-5-21-267120627-318859806-3577012832-513
xidNumber: 100
distinguishedName: CN=S-1-5-21-267120627-318859806-3577012832-513

Find the line starting with “xidNumber” and replace 100 with 10513 or whatever you want the GID number to be. Save and exit. Next, run

net cache flush

and your problem will be gone for good.