[Samba] Problem idmap_ad
Rowland Penny
rpenny at samba.org
Wed Dec 14 14:08:34 UTC 2022
On 14/12/2022 13:37, Leszek Szczepanowski wrote:
> Yup,
>
> It was me, with slightly different problem. That I fixed myself even
> before you was able to respond, but the way you respond - thanks anyway.
> What surprises me however is why if we ask for a group with wbinfo, we
> can add any suffix to the existing group in a query, and the result is
> always like without a suffix.
Cannot really help you with that, but I presume winbind removes the
domain before checking.
> I can't see any sense in this, but during my investigation the the
> different mapping for the same group, resulted in answer:
>
> wbinfo --lookup-sids="S-1-5-21-725345543-1060284298-1708537768-513"
> S-1-5-21-725345543-1060284298-1708537768-513 -> <none>\Domain Users 2
>
> And when I tried to query about this "Domain Users 2" it returned
> "Domain Users". Then I tried to query for "Domain Users anystring" and
> it also returned "Domain Users".
> Is it a bug, or a feature? :)
Neither, it is a lack of knowledge. What 'wbinfo -g' does is that it
lists the entire AD group list, you cannot ask it directly for
information about one group. If you want to check if a group exists, you
have to pipe the output through grep e.g. 'wbinfo -g | grep 'domain
users' (note the group name must all be in lowercase). However, just
because wbinfo says a group exists, this does not mean that the Unix OS
knows it, this is where winbind, a correctly set up smb.conf and
nsswitch come in, 'getent group' must show the group.
Try running 'wbinfo --help' to show just what wbinfo is capable of.
Rowland
More information about the samba
mailing list