[Samba] enumerating group members with nss_winbind (4.0.9 as AD DC)

Rowland Penny rowlandpenny at googlemail.com
Tue Oct 29 04:32:11 MDT 2013

On 29/10/13 04:44, Trent W. Buck wrote:
> When I do "getent group", I want to see the group's members enumerated.
> With nss_ldap they are; with nss_winbind they aren't:
>      root at gumbo:~# getent group mgmt
>      PI\mgmt:*:1040:
> There *are* members there (partially redacted):
>      root at gumbo:~# ldbsearch -Htdb:///var/lib/samba/private/sam.ldb cn=mgmt member
>      # record 1
>      dn: CN=mgmt,CN=Users,REDACTED
>      member: CN=alice,CN=Users,REDACTED
>      member: CN=bob,CN=Users,REDACTED
>      member: CN=clara,CN=Users,REDACTED
>      [...]
> Those members are users, not groups, by the way.
> I had a look at the manpages, and so far these guesses aren't helping.
> I also tried increasing the "winbind expand groups = 4".
>      winbind enum groups     = yes
>      winbind enum users      = yes
>      winbind expand groups   = 1
>      # Automatically added during provisioning;
>      # I don't know what it does.
>      idmap_ldb:use rfc2307 = yes
> The main reason I want this, is so I can confirm that what libc sees on
> the new samba4 host matches what libc sees on the old samba3 host.
> Apart from anything else, new users & groups have been created since I
> did a "domain classicupgrade", and I intend to just use samba-tool to
> manually add them to the new host.
> Plan B is to use "samba-tool group listmembers" &c to check what's on
> the new host, but I've had some troubles with nss_winbind not showing
> some users and groups that samba-tool can see, so I'm leery of that.
I think that you have fallen into the 'S4 winbind != S3 winbind' trap, 
it would seem that S4 winbind only knows about usernames, groupnames and 
xidNumbers(uidNumbers & gidNumbers if present), the users homedirectory 
& login shell are hardcoded, but the shell can be overridden.

If I run 'getent group' on my S4 server, I get:

HOME\Enterprise Read-Only Domain Controllers:*:3000019:
HOME\Domain Admins:*:27:
HOME\Domain Users:*:100:
HOME\Domain Guests:*:65534:
HOME\Domain Computers:*:3000018:
HOME\Domain Controllers:*:3000020:
HOME\Schema Admins:*:3000007:
HOME\Enterprise Admins:*:3000006:
HOME\Group Policy Creator Owners:*:3000004:
HOME\Read-Only Domain Controllers:*:3000021:

And if I run your (slightly modified) command line:
samba-tool group list | while read x; do getent group HOME\\"$x" 
 >/dev/null || echo MISSING: $x; done

MISSING: Allowed RODC Password Replication Group
MISSING: Denied RODC Password Replication Group
MISSING: Pre-Windows 2000 Compatible Access
MISSING: Windows Authorization Access Group
MISSING: Certificate Service DCOM Access
MISSING: Network Configuration Operators
MISSING: Terminal Server License Servers
MISSING: Incoming Forest Trust Builders
MISSING: Performance Monitor Users
MISSING: Cryptographic Operators
MISSING: Distributed COM Users
MISSING: Performance Log Users
MISSING: Remote Desktop Users
MISSING: Account Operators
MISSING: Event Log Readers
MISSING: RAS and IAS Servers
MISSING: Backup Operators
MISSING: Server Operators
MISSING: Print Operators
MISSING: Administrators
MISSING: Cert Publishers
MISSING: Replicator
MISSING: DnsAdmins

You will notice that the top list is missing from the bottom list.

So, as Steve has said, if you want to get the job done, do not use 
winbind, use anything else, but preferably sssd.

If you must use nss_ldapd, just remember that you are now pointing it an 
Active Directory not Openldap and the connection lines are different.


More information about the samba mailing list