[Samba] winbindd 4.1.7 resolves group memberships for all but primary group

Sven Schwedas sven.schwedas at tao.at
Tue Jun 3 07:52:35 MDT 2014

On 2014-06-03 15:39, steve wrote:
> On Tue, 2014-06-03 at 15:11 +0200, Sven Schwedas wrote:
>> I don't know where exactly the problem was, even with debug 5 I was only
>> able to see that idmap failed… somewhere (STATUS_SOME_UNMAPPED).
>> "Solved" by adding gids/uids to every single AD group and user.
> Hi
> Glad it's solved but the solution confuses us. Are you saying that (the
> command) groups does not return group membership without the posix
> memberUid? I ask, since you are already a member of Domain Users by
> primaryGroupID.

getent group only returned local groups (but stalled for 1-2 seconds
while trying to resolve AD ones).

getent group <name> returned data for all groups with SFU attributes set.

Adding SFU attributes to the remaining groups/users via ADUC made getent
group return all groups, and let ACLs work.

getent group domainusers still doesn't show any members, but apparently
that's not necessary. I guess one of the superordinate groups was the
culprit of the idmap failures.

> We do not use memberUid, but the member and primaryGroupID attributes
> are mapped correctly:
> getent passwd steve2
> steve2:*:3000021:20513:steve2:/home/users/steve2:/bin/bash
> groups steve2
> steve2 : Domain Users staff2
> getent group Domain\ Users
> Domain Users:*:20513:
> Not sure if memberUid is necessary.
> But this is with winbind running with sssd. Maybe winbind alone needs
> it?
> Would like to know the official answer on memberUid.
> Cheers,
> Steve
>> On 2014-05-28 12:12, Sven Schwedas wrote:
>>> We're using a bunch of AD groups – all users/groups are created and
>>> managed with ADUC. Domain Users is the primary group for all users, plus
>>> a few for our departments (and Domain Admins). All groups have their
>>> posixGroup attributes filled out.
>>> wbinfo --group-info and getent group show the correct membership for all
>>> groups except Domain Users.
>>> smb.conf: http://pastebin.com/ymrXZJ5u
>>> Already tried with winbind nss info = sfu, no improvement.
>>> LDAP excerpt (members pruned) for Domain Users:
>>> http://pastebin.com/3ysX0S7C
>>> LDAP excerpt for Domain Admins:
>>> http://pastebin.com/vYTu70dV
>>> The only difference I can see is the member field. ADUC apparently
>>> doesn't explicitly set it for the primary group (and doesn't allow me to
>>> set it manually), it only sets memberUid and msSFU30PosixMember (which
>>> are both ignored by winbindd). Is there some way I can make winbindd use
>>> the correct field, or is there a configuration problem somewhere else?

Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140603/07e818b3/attachment.pgp>

More information about the samba mailing list