[Samba] enumerating group members with nss_winbind (4.0.9 as AD DC)
steve
steve at steve-ss.com
Tue Oct 29 04:54:53 MDT 2013
On Tue, 2013-10-29 at 10:32 +0000, Rowland Penny wrote:
> On 29/10/13 04:44, Trent W. Buck wrote:
> > When I do "getent group", I want to see the group's members enumerated.
> > With nss_ldap they are; with nss_winbind they aren't:
> >
> > root at gumbo:~# getent group mgmt
> > PI\mgmt:*:1040:
> >
> > There *are* members there (partially redacted):
> >
> > root at gumbo:~# ldbsearch -Htdb:///var/lib/samba/private/sam.ldb cn=mgmt member
> > # record 1
> > dn: CN=mgmt,CN=Users,REDACTED
> > member: CN=alice,CN=Users,REDACTED
> > member: CN=bob,CN=Users,REDACTED
> > member: CN=clara,CN=Users,REDACTED
> > [...]
> >
> > Those members are users, not groups, by the way.
> >
> > I had a look at the manpages, and so far these guesses aren't helping.
> > I also tried increasing the "winbind expand groups = 4".
> >
> > winbind enum groups = yes
> > winbind enum users = yes
> > winbind expand groups = 1
> >
> > # Automatically added during provisioning;
> > # I don't know what it does.
> > idmap_ldb:use rfc2307 = yes
> >
> > The main reason I want this, is so I can confirm that what libc sees on
> > the new samba4 host matches what libc sees on the old samba3 host.
> > Apart from anything else, new users & groups have been created since I
> > did a "domain classicupgrade", and I intend to just use samba-tool to
> > manually add them to the new host.
> >
> > Plan B is to use "samba-tool group listmembers" &c to check what's on
> > the new host, but I've had some troubles with nss_winbind not showing
> > some users and groups that samba-tool can see, so I'm leery of that.
> >
> I think that you have fallen into the 'S4 winbind != S3 winbind' trap,
> it would seem that S4 winbind only knows about usernames, groupnames and
> xidNumbers(uidNumbers & gidNumbers if present), the users homedirectory
> & login shell are hardcoded, but the shell can be overridden.
>
> If I run 'getent group' on my S4 server, I get:
>
> root:x:0:
> ..........
> HOME\Enterprise Read-Only Domain Controllers:*:3000019:
> HOME\Domain Admins:*:27:
> HOME\Domain Users:*:100:
> HOME\Domain Guests:*:65534:
> HOME\Domain Computers:*:3000018:
> HOME\Domain Controllers:*:3000020:
> HOME\Schema Admins:*:3000007:
> HOME\Enterprise Admins:*:3000006:
> HOME\Group Policy Creator Owners:*:3000004:
> HOME\Read-Only Domain Controllers:*:3000021:
> HOME\DnsUpdateProxy:*:3000022:
> HOME\adminusers:*:10000:
>
> And if I run your (slightly modified) command line:
> samba-tool group list | while read x; do getent group HOME\\"$x"
> >/dev/null || echo MISSING: $x; done
>
> MISSING: Allowed RODC Password Replication Group
> MISSING: Denied RODC Password Replication Group
> MISSING: Pre-Windows 2000 Compatible Access
> MISSING: Windows Authorization Access Group
> MISSING: Certificate Service DCOM Access
> MISSING: Network Configuration Operators
> MISSING: Terminal Server License Servers
> MISSING: Incoming Forest Trust Builders
> MISSING: Performance Monitor Users
> MISSING: Cryptographic Operators
> MISSING: Distributed COM Users
> MISSING: Performance Log Users
> MISSING: Remote Desktop Users
> MISSING: Account Operators
> MISSING: Event Log Readers
> MISSING: RAS and IAS Servers
> MISSING: Backup Operators
> MISSING: Server Operators
> MISSING: Print Operators
> MISSING: Administrators
> MISSING: Cert Publishers
> MISSING: Replicator
> MISSING: IIS_IUSRS
> MISSING: DnsAdmins
> MISSING: Guests
> MISSING: Users
>
> You will notice that the top list is missing from the bottom list.
>
> So, as Steve has said, if you want to get the job done, do not use
> winbind, use anything else, but preferably sssd.
>
> If you must use nss_ldapd, just remember that you are now pointing it an
> Active Directory not Openldap and the connection lines are different.
>
> Rowland
Hi everyone
Just if I may point out one gotcha with nss_ldapd (nslcd). Those objects
without classes posixAccount and posixGroup _in the DN of the object_
need to be filtered on passwd and group. In a big domain, this is slow.
HTH
Steve
More information about the samba
mailing list