[Samba] enumerating group members with nss_winbind (4.0.9 as AD DC)

steve steve at steve-ss.com
Tue Oct 29 03:44:24 MDT 2013 

On Tue, 2013-10-29 at 15:44 +1100, Trent W. Buck wrote:
> When I do "getent group", I want to see the group's members enumerated.
> With nss_ldap they are; with nss_winbind they aren't:
> 
>     root at gumbo:~# getent group mgmt
>     PI\mgmt:*:1040:
> 
> There *are* members there (partially redacted):
> 
>     root at gumbo:~# ldbsearch -Htdb:///var/lib/samba/private/sam.ldb cn=mgmt member
>     # record 1
>     dn: CN=mgmt,CN=Users,REDACTED
>     member: CN=alice,CN=Users,REDACTED
>     member: CN=bob,CN=Users,REDACTED
>     member: CN=clara,CN=Users,REDACTED
>     [...]
> 
> Those members are users, not groups, by the way.
> 
> I had a look at the manpages, and so far these guesses aren't helping.
> I also tried increasing the "winbind expand groups = 4".
> 
>     winbind enum groups     = yes
>     winbind enum users      = yes
>     winbind expand groups   = 1
> 
>     # Automatically added during provisioning;
>     # I don't know what it does.
>     idmap_ldb:use rfc2307 = yes

It tells nss to look in ad for uidNumber and gidNumber.
> 
> The main reason I want this, is so I can confirm that what libc sees on
> the new samba4 host matches what libc sees on the old samba3 host.
> Apart from anything else, new users & groups have been created since I
> did a "domain classicupgrade", and I intend to just use samba-tool to
> manually add them to the new host.
Your classicupgrade users will have the necessary attributes. You will
need to add them yourself for new users. Is it possible to upgrade to
4.1? There, samba-tool can be used to add rfc2307 upon creating a new
user.
> 
> Plan B is to use "samba-tool group listmembers" &c to check what's on
> the new host, but I've had some troubles with nss_winbind not showing
> some users and groups that samba-tool can see, so I'm leery of that.
> 
Do I understand that this is all on a 4.0.9 DC? If so, the easiest way
to get getent group to list group members is to use nslcd or sssd. I
don't think winbind does it.
HTH
Steve

More information about the samba mailing list