[Samba] Samba4 list members of an AD group

[steve]

On 03/08/2012 11:35 AM, Andrew Bartlett wrote:
> On Thu, 2012-03-08 at 09:00 +0100, steve wrote:
>> Hi
>> When I add the posixGroup class to an AD group, add a user to the group
>> and set their primaryGroupID, I can add members to the group:
>>
>>     samba-tool group addmembers debusers lynn2
>> ERROR(ldb): Failed to add members "lynn2" to group "debusers" - samldb:
>> member CN=lynn2,CN=Users,DC=hh3,DC=site already set via primaryGroupID 1106
>>
>> where lynn2 is a user who has been added to the AD posix group debusers
>> with primaryID=1106
>>
>> But I cannot see the entry
>>    member: lynn2
> Correct.  PrimaryGroupID acts like a member link, but without being a
> member attribute.  Users with primaryGroupID are members of the domain
> group with that RID.
>
>> when I look at the debusers dn using ldbsearch as I can under Domain
>> Users. The user appears as expected in Domain Users but not under debusers.
>>
>> Everything works exactly as expected and debusers behaves as if it were
>> a normal AD group, ace's, acl's permissions etc work under both win7 and
>> Linux etc.
>> 1. Is there a samba-tool command to list members of a group?
>> 2. Why do I lose the tabs on properties when I add the posixGroup class
>> to an AD group?
> This is due to a bug/mis-feature of Active Directory Users and
> Computers.  Unless you can show it is different on a Windows server, the
> explanation is that the last objectClass value is used by ADUC to
> determine what tab to show.  This in turn is determined by a sort of
> objectClass values from least to most specific.
>
> Andrew Bartlett
Hi Andrew, Hi everyone.

Thanks for the explanation. We've no windows server:-) but it would be 
interesting to see if one threw up different tabs.

As for listing members in a group. Is it possible? Really it's me being 
lazy. It would save me writing a script to dig out group ids from the ldb.

Thanks,
Steve