AW: samba4 - strange inconsistency in group membership

Dr. Hansjoerg Maurer hansjoerg.maurer at itsd.de
Wed Jul 23 05:44:29 MDT 2014 

 
 
-----Ursprüngliche Nachricht-----
> Von:steve <steve at steve-ss.com>
> Gesendet: Mit 23 Juli 2014 08:13
> An: samba-technical at lists.samba.org
> Betreff: Re: samba4 - strange inconsistency in group membership
> 
> On Tue, 2014-07-22 at 22:23 +0200, "Dr. Hansjörg Maurer" wrote:
> > Hi
> > 
> > found the reason for this behavior and therefore will answer below the
> > question here myself...
> > 
> > Am 21.07.2014 15:16, schrieb Dr. Hansjoerg Maurer:
> > > Hi
> > >
> > >
> > >
> > > we have a samba4 based AD and I put several users into a windows group test_group using MMC.
> > >
> > >
> > > The group membership is shown, if  I query it using
> > >
> > > samba-tool group listmembers test_group
> > > ...
> > > and if a do an 
> > > id -a 
> > > on a user in this group (using winbind on the samba4 AD-DC) 
> > >
> > >
> > >
> > > But if I query the group using
> > >
> > > ldapsearch  -P 3 -x -W -D "CN=A,OU=Users,DC=TEST-AD,DC=LAN" -H ldap://localhost  -b "DC=TEST-AD,DC=LAN" -s sub "(cn=test_group)"
> > >
> > > member: CN=Firstname Lastname,OU=Users,DC=TEST-AD,DC=LAN
> > >
> > > ...
> > >
> > >
> > > or
> > >
> > >
> > > ldbedit -e vi -H /etc/samba/sam.ldb
> > >
> > >
> > > only some (about the half) members of the group are shown.
> > > What could be the reason for this inconsitency
> > 
> > The users, which are not listed as member of  the group using ldapsearch
> > or ldbedit, 
> > became member of the group by setting the group as there  primaryGroupID.
> > Therefore this implicit membership ist not added as an explicit member
> > in the group object.
> > 
> > Unix (winbind) and Windows (MMC) honor and resolve this implicit membership.
> > The ldap query above does not.
> > 
> > Regards
> > 
> > Hansjörg
> 
> Hi
> The group object will only contain the member attribute for those group
> members who are not primary group members. Not sure why you need this
> but I'm guessing scripting. If so, try the Unix group command. This
> works exactly as expected under sssd and winbind,.
> HTH
> Steve
> 

Hi Steve

thank you for calrification. 

We use the samba4 AD as user and group backend for a zarafa mail server
and zarafa queries the AD for mail enabled distribution groups and group permissions
by doing an ldap search on a ldap_groupmembers_attribute

# Optional, default = member
# Active directory: member
# LDAP: memberUid
ldap_groupmembers_attribute = member

And therefore we noticed, that the implicit group membership over the primaryGroupID is not honored 
bei zarafa.

Regards

Hansjörg

More information about the samba-technical mailing list