[Samba] Samba4 list members of an AD group
Andrew Bartlett
abartlet at samba.org
Thu Mar 8 03:35:20 MST 2012
On Thu, 2012-03-08 at 09:00 +0100, steve wrote:
> Hi
> When I add the posixGroup class to an AD group, add a user to the group
> and set their primaryGroupID, I can add members to the group:
>
> samba-tool group addmembers debusers lynn2
> ERROR(ldb): Failed to add members "lynn2" to group "debusers" - samldb:
> member CN=lynn2,CN=Users,DC=hh3,DC=site already set via primaryGroupID 1106
>
> where lynn2 is a user who has been added to the AD posix group debusers
> with primaryID=1106
>
> But I cannot see the entry
> member: lynn2
Correct. PrimaryGroupID acts like a member link, but without being a
member attribute. Users with primaryGroupID are members of the domain
group with that RID.
> when I look at the debusers dn using ldbsearch as I can under Domain
> Users. The user appears as expected in Domain Users but not under debusers.
>
> Everything works exactly as expected and debusers behaves as if it were
> a normal AD group, ace's, acl's permissions etc work under both win7 and
> Linux etc.
> 1. Is there a samba-tool command to list members of a group?
> 2. Why do I lose the tabs on properties when I add the posixGroup class
> to an AD group?
This is due to a bug/mis-feature of Active Directory Users and
Computers. Unless you can show it is different on a Windows server, the
explanation is that the last objectClass value is used by ADUC to
determine what tab to show. This in turn is determined by a sort of
objectClass values from least to most specific.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list