[Samba] getent group not listing domain groups / wbinfo -r not working

Ľubomír Brindza lubomir.brindza at gmail.com
Wed Sep 21 08:29:50 MDT 2011

Update. Ugly hacks abound, be warned.

> As far as I can tell, nsswitch.conf is also configured properly, since
> `getent passwd` dumps local users, waits about .2 seconds, and dumps
> domain users:
>> sasa.sokolova:*:10283:10001:Sasa
>> Sokolova:/home/LIONSK/sasa.sokolova:/bin/false
>> adam.szabados:*:10284:10001:Adam
>> Szabados:/home/LIONSK/adam.szabados:/bin/false
> (All domain users are members of group '10001', is this normal?)
As I've found out, the `getent passwd` lists users and their *primary*
AD group, which is 'Domain Users' by default. After changing the user's
primary group (and restarting the whole server, unsure how often wbinfo
refreshes its data), `getent passwd` shows users along with their new
primary group (the one I'm actually looking for).

Please note that at my organization, there is very little to no overlap
between different AD groups, so this ugly ha^H^H^H fix may not
necessarily work out for you. I'm using 'plain' AD -> UID/GID identity
mapping, and you might want to use idmap_rid backend.

Since `wbinfo -r <user>` still fails however, I've resorted to altering
the wbinfo_group.pl script shipped with squid (it's used to check
whether a user belongs to a group). Patch attached; don't laugh :>

I understand that this could result in a large performance hit (among
other things), but so far it's working as intended.

Please don't hesitate to point out the flaws.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ad_group.patch
URL: <http://lists.samba.org/pipermail/samba/attachments/20110921/487310bb/attachment.ksh>

More information about the samba mailing list