[Samba] default backend = rid not showing full group information for users

Jelle de Jong jelledejong at powercraft.nl
Sat May 2 17:59:28 UTC 2020 

On 2020-05-02 16:42, Rowland penny via samba wrote:
> On 02/05/2020 15:07, Jelle de Jong via samba wrote:
>> Am I wrong to expect that id user and getent group should list me the 
>> groups the user is part of.
>>
>> For example wbinfo --group-info=office shows me that user jdoe and 
>> lgaga are part of the group, but then when doing id jdoe or id lgaga 
>> the office group is not shown, neither in getent group.
>>
>> What should I change in my config to have full group information working?
>>
>> root at samba01:~# wbinfo --group-info=development
>> development:x:11111:jdoe
>>
>> root at samba01:~# wbinfo --group-info=office
>> office:x:11106:lgaga,jdoe
>>
>> root at samba01:~# getent passwd lgaga
>> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash
>>
>> root at samba01:~# getent passwd jdoe
>> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash
>>
>> root at samba01:~# id jdoe
>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
>> users),11157(jdoe),3001(BUILTIN\users)
>>
>> root at samba01:~# id lgaga
>> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
>> users),11155(lgaga),3001(BUILTIN\users)
>>
>> On 2020-05-01 02:00, Jelle de Jong via samba wrote:
>>> Hello everybody,
>>>
>>> I am trying to use the backend = rid but it is not showing me group 
>>> information of the users after adding the user to the domain groups...
>>>
>>> What should I do to have the full group info for the users available?
> Get the user to login ;-)
>>>
>>> https://wiki.samba.org/index.php/Idmap_config_rid
>>> # All domain's user accounts and groups are automatically available 
>>> on the domain member.
> 
> That means that all user accounts will be shown by 'getent passwd' and 
> all groups will be shown by 'getent group', it doesn't mean that 'id' 
> will show every group a user is a member of. You can only be sure of 
> getting a full list of a users groups if the user has logged in.

So I log in as user jdoe and I still do not have access to the group...:

jdoe at samba01:~$ getent group | grep jdoe
development:x:11111:jdoe
office:x:11106:jdoe,lgaga
domain users:x:10513:jdoe,lgaga,administrator,krbtgt

jdoe at samba01:~$ id jdoe
uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
users),11157(jdoe),3001(BUILTIN\users)

jdoe at samba01:~$ touch test.txt
jdoe at samba01:~$ chgrp "domain users" test.txt #works!!
jdoe at samba01:~$ chgrp office test.txt
chgrp: changing group of 'test.txt': Operation not permitted

Why are the group development and office not available for the users 
part of this group?

Kind regards,

Jelle de Jong

More information about the samba mailing list