samba4 - strange inconsistency in group membership

"Dr. Hansjörg Maurer" hansjoerg.maurer at itsd.de
Tue Jul 22 14:23:37 MDT 2014


Hi

found the reason for this behavior and therefore will answer below the
question here myself...

Am 21.07.2014 15:16, schrieb Dr. Hansjoerg Maurer:
> Hi
>
>
>
> we have a samba4 based AD and I put several users into a windows group test_group using MMC.
>
>
> The group membership is shown, if  I query it using
>
> samba-tool group listmembers test_group
> ...
> and if a do an 
> id -a 
> on a user in this group (using winbind on the samba4 AD-DC) 
>
>
>
> But if I query the group using
>
> ldapsearch  -P 3 -x -W -D "CN=A,OU=Users,DC=TEST-AD,DC=LAN" -H ldap://localhost  -b "DC=TEST-AD,DC=LAN" -s sub "(cn=test_group)"
>
> member: CN=Firstname Lastname,OU=Users,DC=TEST-AD,DC=LAN
>
> ...
>
>
> or
>
>
> ldbedit -e vi -H /etc/samba/sam.ldb
>
>
> only some (about the half) members of the group are shown.
> What could be the reason for this inconsitency

The users, which are not listed as member of  the group using ldapsearch
or ldbedit, 
became member of the group by setting the group as there  primaryGroupID.
Therefore this implicit membership ist not added as an explicit member
in the group object.

Unix (winbind) and Windows (MMC) honor and resolve this implicit membership.
The ldap query above does not.

Regards

Hansjörg



>
> Regards
>
> Hansjörg 
>
>
>
>
>
>
>




More information about the samba-technical mailing list