Expand groups with Samba 4.15

Rowland Penny rpenny at samba.org
Tue Jun 28 14:44:52 UTC 2022 

On Tue, 2022-06-28 at 16:24 +0200, Andreas Schneider wrote:
> On Tuesday, June 28, 2022 2:50:10 PM CEST Rowland Penny via samba-
> technical 
> wrote:
> > On Tue, 2022-06-28 at 14:23 +0200, Robert Weilharter via samba-
> > 
> > technical wrote:
> > > We have the following AD-setup:
> > > 
> > > Domain: USERS: Most regular users and groups exist in this domain
> > > Subdomain: SERVER.USERS: samba server is joined in this domain
> > 
> > I take it, that by 'Domain' you mean 'netbios domain'. if so, you
> > shouldn't use a period in one, so your netbios domain should be
> > something like 'SERVERUSERS' or 'SERVER_USERS', a bit late now.
> > 
> > > smb.conf has "winbind expand groups = 1"
> > > 
> > > After upgrade to 4.15 (latest version on RHEL 8) "wbinfo --group-
> > > info
> > > USERS\\somegroup" did not expand groupmembers.
> > > 
> > > Reason is, the default for "winbind scan trusted domains" changed
> > > to
> > > "no".
> > > 
> > > Queries for users in domain USERS with wbinfo still work as
> > > expected.
> > > Most queries regarding
> > > groups do not work at all (group not shown) or give incomplete
> > > results
> > > (no group members expanded).
> > > 
> > > All queries for users and groups in SERVER.USERS work as
> > > expected.
> > > 
> > > After setting "winbind scan trusted domains = yes" everything
> > > works
> > > as
> > > it did with version 4.11.
> > > 
> > > The release notes for 4.15 state "`winbind scan trusted domains`
> > > will
> > > be
> > > deprecated in one of the next releases."
> > > 
> > > In our current setup this parameter is needed.
> > > 
> > > Is this expected behavior, or should we report a bug?
> > 
> > Probably both.
> > I came to the same conclusion yesterday while replying to a post on
> > the
> > samba mailing list, I was awaiting a reply to that, to confirm it
> > one
> > way or another. It looks like I do not have to wait.
> > 
> > Rowland
> 
> You will never get a correct picture with `wbinfo --group-info` this
> worked in 
> NT4 times but not in an AD with forests and different kind of trust.
> 
> We only get a valid picture about a users groups during login. The DC
> is able 
> to collect those information. A domain member with just a machine
> account 
> doesn't have the necessary privileges to get a full picture. If it
> does work 
> for you, then because your domain setup might be simple enough.
> 
> Don't rely on `wbinfo --group-info` to be 100% complete!
> 
> 
> 	Andreas

I never said you could rely on 'wbinfo --group-info', I was commenting
on the fact that two users were having different but connected problems
since the default for 'winbind scan trusted domains' was changed to
'no'. 

Rowland

More information about the samba-technical mailing list