Expand groups with Samba 4.15

Andreas Schneider asn at samba.org
Tue Jun 28 14:24:28 UTC 2022 

On Tuesday, June 28, 2022 2:50:10 PM CEST Rowland Penny via samba-technical 
wrote:
> On Tue, 2022-06-28 at 14:23 +0200, Robert Weilharter via samba-
> 
> technical wrote:
> > We have the following AD-setup:
> > 
> > Domain: USERS: Most regular users and groups exist in this domain
> > Subdomain: SERVER.USERS: samba server is joined in this domain
> 
> I take it, that by 'Domain' you mean 'netbios domain'. if so, you
> shouldn't use a period in one, so your netbios domain should be
> something like 'SERVERUSERS' or 'SERVER_USERS', a bit late now.
> 
> > smb.conf has "winbind expand groups = 1"
> > 
> > After upgrade to 4.15 (latest version on RHEL 8) "wbinfo --group-
> > info
> > USERS\\somegroup" did not expand groupmembers.
> > 
> > Reason is, the default for "winbind scan trusted domains" changed to
> > "no".
> > 
> > Queries for users in domain USERS with wbinfo still work as
> > expected.
> > Most queries regarding
> > groups do not work at all (group not shown) or give incomplete
> > results
> > (no group members expanded).
> > 
> > All queries for users and groups in SERVER.USERS work as expected.
> > 
> > After setting "winbind scan trusted domains = yes" everything works
> > as
> > it did with version 4.11.
> > 
> > The release notes for 4.15 state "`winbind scan trusted domains` will
> > be
> > deprecated in one of the next releases."
> > 
> > In our current setup this parameter is needed.
> > 
> > Is this expected behavior, or should we report a bug?
> 
> Probably both.
> I came to the same conclusion yesterday while replying to a post on the
> samba mailing list, I was awaiting a reply to that, to confirm it one
> way or another. It looks like I do not have to wait.
> 
> Rowland

You will never get a correct picture with `wbinfo --group-info` this worked in 
NT4 times but not in an AD with forests and different kind of trust.

We only get a valid picture about a users groups during login. The DC is able 
to collect those information. A domain member with just a machine account 
doesn't have the necessary privileges to get a full picture. If it does work 
for you, then because your domain setup might be simple enough.

Don't rely on `wbinfo --group-info` to be 100% complete!


	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list