[Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)
Trent W. Buck
trentbuck at gmail.com
Sun Oct 27 18:32:16 MDT 2013
trentbuck at gmail.com (Trent W. Buck) writes:
> I wouldn't even care about this, but nss_winbind sees fewer accounts
> than wbinfo which in turn sees fewer accounts than samba-tool!
Hm, since it has been a couple of weeks since my last post, I decided to
recheck these symptoms -- they're *nearly* gone!
Note the last line is a site-specific group, whereas the rest look like
wacky internal AD things.
root at gumbo:~# samba-tool user list | while read x; do getent passwd $x >/dev/null || echo MISSING: $x; done
root at gumbo:~# samba-tool group list | while read x; do getent group $x >/dev/null || echo MISSING: $x; done
MISSING: Allowed RODC Password Replication Group
MISSING: Enterprise Read-Only Domain Controllers
MISSING: Denied RODC Password Replication Group
MISSING: Pre-Windows 2000 Compatible Access
MISSING: Windows Authorization Access Group
MISSING: Certificate Service DCOM Access
MISSING: Network Configuration Operators
MISSING: Terminal Server License Servers
MISSING: Incoming Forest Trust Builders
MISSING: Read-Only Domain Controllers
MISSING: Group Policy Creator Owners
MISSING: Performance Monitor Users
MISSING: Cryptographic Operators
MISSING: Distributed COM Users
MISSING: Performance Log Users
MISSING: Remote Desktop Users
MISSING: Account Operators
MISSING: Event Log Readers
MISSING: RAS and IAS Servers
MISSING: Backup Operators
MISSING: Domain Controllers
MISSING: Server Operators
MISSING: Enterprise Admins
MISSING: Print Operators
MISSING: Administrators
MISSING: Domain Computers
MISSING: Cert Publishers
MISSING: Domain Admins
MISSING: Domain Guests
MISSING: Schema Admins
MISSING: Domain Users
MISSING: Replicator
MISSING: IIS_IUSRS
MISSING: DnsAdmins
MISSING: Guests
MISSING: Users
MISSING: pi
root at gumbo:~# grep -vE '^[[:space:]]*(#|$)' /etc/samba/smb.conf
[global]
server role = active directory domain controller
realm = PI.PLANETINNOVATION.COM.AU
workgroup = PI
idmap_ldb:use rfc2307 = yes
winbind enum groups = yes
winbind enum users = yes
syslog only = yes
syslog = 3
debug timestamp = no
panic action = /usr/share/samba/panic-action %d
interfaces = 172.29.49.19/12
bind interfaces only = yes
printing = bsd
printcap name = /dev/null
logon drive = U:
logon script = logon.cmd
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
valid users = %S
[netlogon]
path = /var/lib/samba/sysvol/PLANETINNOVATION.COM.AU/scripts
writable = yes
[sysvol]
path = /var/lib/samba/sysvol
writable = yes
[...other shares...]
root at gumbo:~# grep -vE '^[[:space:]]*(#|$)' /etc/nsswitch.conf
passwd: files winbind
group: files winbind
hosts: files dns
[boring other bits]
I'm not sure why the pi group isn't appearing.
Can I increase nss_winbind.so's logging?
root at gumbo:~# ldapsearch -LLLUcyber '(&(cn=pi)(objectclass=posixgroup))'
SASL/NTLM authentication started
Please enter your password:
SASL username: cyber
SASL SSF: 0
dn: CN=pi,CN=Users,DC=pi,DC=planetinnovation,DC=com,DC=au
cn: pi
instanceType: 4
whenCreated: 20131008002306.0Z
uSNCreated: 3812
name: pi
objectGUID:: iuv8UXOqlEqVZaMPoXMzNQ==
objectSid:: AQUAAAAAAAUVAAAAq+hW2qxp0+SENVq93wsAAA==
sAMAccountName: pi
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=pi,DC=planetinnovation,
DC=com,DC=au
gidNumber: 1019
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: pi
whenChanged: 20131008002625.0Z
member: CN=xyz,CN=Users,DC=pi,DC=planetinnovation,DC=com,DC=au
member: CN=xyz-pc,CN=Computers,DC=pi,DC=planetinnovation,DC=com,DC=au
[...lots more members...]
uSNChanged: 5153
distinguishedName: CN=pi,CN=Users,DC=pi,DC=planetinnovation,DC=com,DC=au
More information about the samba
mailing list