Samba4 wbinfo -i output

steve steve at steve-ss.com
Sun May 6 14:24:54 MDT 2012 

On 05/06/2012 07:58 PM, Gémes Géza wrote:
> On 2012-05-06 18:08, steve wrote:
>> On 05/06/2012 03:58 PM, Gémes Géza wrote:
>>> On 2012-05-06 11:43, steve wrote:
>>>> On 06/05/12 10:10, Gémes Géza wrote:
>>>>> On 2012-05-06 09:43, steve wrote:
>>>>>> On 05/06/2012 09:22 AM, Andrew Bartlett wrote:
>>>>>>> On Sun, 2012-05-06 at 09:06 +0200, steve wrote:
>>>>>>>
>>>> Hi
>>>> Or just store the attributes you need in the directory and forget
>>>> winbind no?
>>>> Cheers,
>>>> Steve
>>> Without winbind you lose the ability to have nested groups.
>>>
>>> Regards
>>>
>>> Geza
>> Hi
>> Does that mean not being able to have a group as a member of another
>> group? If so, what disadvantages does that have? The schema allows me
>> the same with or without winbind doesn't it? Maybe getent would have
>> problems?
>> Cheers,
>> Steve
>>
> I haven't tried it but in theory libnss-ldap and (also untested)
> libnss-ldapd doesn't support recursive lookup for group members. So
> getent group would list only users and first level groups.
>
> Regards
>
> Geza
Hi Geza
No. nss-ldapd does a superb job of AD group mappings as recursively deep 
as you want. And very fast. The ldapd dev helped us with the AD 
mappings. In fact as of the latest version, we need only 2:

cat /etc/nslcd.conf

uid nslcd
gid nslcd
uri ldap://sam4dc.polop.site
base dc=polop,dc=site
map    passwd    uid    samAccountName
map    passwd    homeDirectory    unixHomeDirectory
#map    group    uniqueMember    member
sasl_mech GSSAPI
sasl_realm POLOP.SITE
krb5_ccname /tmp/nslcd.tkt

Previous versions needed the commented out mapping too. As of version 
0.8, it does into the DN to extract the members as well as members by 
primaryGroupID.
e.g.
getent passwd steve2
steve2:*:3000011:20513:steve2:/home2/CACTUS/staff/steve2:/bin/bash

getent group staff
staff:*:21108:lynn2,steve2

dn: CN=steve2,CN=Users,DC=polop,DC=site
cn: steve2
instanceType: 4
whenCreated: 20120505174235.0Z
uSNCreated: 3735
name: steve2
objectGUID: 70cea1cc-2d1a-4301-b80d-695244824f8d
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid: S-1-5-21-216190789-1528428426-2244757706-1107
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: steve2 at polop.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=polop,DC=site
pwdLastSet: 129807133550000000
userAccountControl: 512
uidNumber: 3000011
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
profilePath: \\sam4dc\profiles\steve2
homeDrive: Z:
unixHomeDirectory: /home2/CACTUS/staff/steve2
homeDirectory: \\sam4dc\staff\steve2
primaryGroupID: 513
gidNumber: 20513
whenChanged: 20120506190835.0Z
uSNChanged: 3824
memberOf: CN=staff,CN=Users,DC=polop,DC=site
distinguishedName: CN=steve2,CN=Users,DC=polop,DC=site

dn: CN=staff,CN=Users,DC=polop,DC=site
cn: staff
instanceType: 4
whenCreated: 20120505174317.0Z
uSNCreated: 3741
name: staff
objectGUID: a94ceff6-3078-4ef0-a763-67cb79c7eb25
objectSid: S-1-5-21-216190789-1528428426-2244757706-1108
sAMAccountName: staff
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
objectClass: top
objectClass: posixGroup
objectClass: group
gidNumber: 21108
member: CN=steve2,CN=Users,DC=polop,DC=site
member: CN=lynn2,CN=Users,DC=polop,DC=site
whenChanged: 20120506192028.0Z
uSNChanged: 3828
distinguishedName: CN=staff,CN=Users,DC=polop,DC=site

dn: CN=Domain Users,CN=Users,DC=polop,DC=site
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20120505165503.0Z
uSNCreated: 3540
name: Domain Users
objectGUID: 5fec110b-1b55-4ff8-812f-f4e9d033b9ec
objectSid: S-1-5-21-216190789-1528428426-2244757706-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=polop,DC=site
gidNumber: 20513
objectClass: top
objectClass: posixGroup
objectClass: group
whenChanged: 20120506190833.0Z
uSNChanged: 3821
distinguishedName: CN=Domain Users,CN=Users,DC=polop,DC=site

Note: the primaryGroupID determines the default group. There is 
currently a bug in the schema which does not remove the memberOf 
attribute when changing primaryGroupID. This is the subject of another 
thread here. The workaround is to run samba-tool dbcheck --fix after 
changing group ids.

We add 20000 to the rid of the primaryGroup to make it more readable and 
to stop it colliding with our local groups. All based upon an idea by 
Geza back in December:-) We call it s4bind. Details here:
http://linuxcostablanca.blogspot.com.es/p/s4bind.html

Cheers,
Steve

More information about the samba-technical mailing list