samba4 - strange inconsistency in group membership
steve
steve at steve-ss.com
Wed Jul 23 00:11:09 MDT 2014
On Tue, 2014-07-22 at 22:23 +0200, "Dr. Hansjörg Maurer" wrote:
> Hi
>
> found the reason for this behavior and therefore will answer below the
> question here myself...
>
> Am 21.07.2014 15:16, schrieb Dr. Hansjoerg Maurer:
> > Hi
> >
> >
> >
> > we have a samba4 based AD and I put several users into a windows group test_group using MMC.
> >
> >
> > The group membership is shown, if I query it using
> >
> > samba-tool group listmembers test_group
> > ...
> > and if a do an
> > id -a
> > on a user in this group (using winbind on the samba4 AD-DC)
> >
> >
> >
> > But if I query the group using
> >
> > ldapsearch -P 3 -x -W -D "CN=A,OU=Users,DC=TEST-AD,DC=LAN" -H ldap://localhost -b "DC=TEST-AD,DC=LAN" -s sub "(cn=test_group)"
> >
> > member: CN=Firstname Lastname,OU=Users,DC=TEST-AD,DC=LAN
> >
> > ...
> >
> >
> > or
> >
> >
> > ldbedit -e vi -H /etc/samba/sam.ldb
> >
> >
> > only some (about the half) members of the group are shown.
> > What could be the reason for this inconsitency
>
> The users, which are not listed as member of the group using ldapsearch
> or ldbedit,
> became member of the group by setting the group as there primaryGroupID.
> Therefore this implicit membership ist not added as an explicit member
> in the group object.
>
> Unix (winbind) and Windows (MMC) honor and resolve this implicit membership.
> The ldap query above does not.
>
> Regards
>
> Hansjörg
Hi
The group object will only contain the member attribute for those group
members who are not primary group members. Not sure why you need this
but I'm guessing scripting. If so, try the Unix group command. This
works exactly as expected under sssd and winbind,.
HTH
Steve
More information about the samba-technical
mailing list