[Samba] enumerating group members with nss_winbind (4.0.9 as AD DC)

[Trent W. Buck]

steve <steve at steve-ss.com> writes:

> On Tue, 2013-10-29 at 15:44 +1100, Trent W. Buck wrote:
>>     # Automatically added during provisioning;
>>     # I don't know what it does.
>>     idmap_ldb:use rfc2307 = yes
>
> It tells nss to look in ad for uidNumber and gidNumber.

Ah, thanks.

>> The main reason I want this, is so I can confirm that what libc sees on
>> the new samba4 host matches what libc sees on the old samba3 host.
>> Apart from anything else, new users & groups have been created since I
>> did a "domain classicupgrade", and I intend to just use samba-tool to
>> manually add them to the new host.
> Your classicupgrade users will have the necessary attributes. You will
> need to add them yourself for new users. Is it possible to upgrade to
> 4.1? There, samba-tool can be used to add rfc2307 upon creating a new
> user.

I have things mostly working with 4.0.9 so I'd rather not bother.

Also this network doesn't have any unix clients other than the samba4
server itself, so skipping RFC2307 entirely seems like a good idea.

>> When I do "getent group", I want to see the group's members enumerated.
>> With nss_ldap they are; with nss_winbind they aren't: [...]
>> Plan B is to use "samba-tool group listmembers" &c to check what's on
>> the new host, but I've had some troubles with nss_winbind not showing
>> some users and groups that samba-tool can see, so I'm leery of that.
>
> Do I understand that this is all on a 4.0.9 DC? If so, the easiest way
> to get getent group to list group members is to use nslcd or sssd. I
> don't think winbind does it.

It's not a big deal -- I only member enumeration it for debugging
purposes.  I can achieve the same effect with "samba-tool group
listmembers" and with id(1).