[Samba] Samba4: "MYDOM\Administrator" quite useless on a member server?

?icro MEGAS micromegas at mail333.com
Thu Oct 23 05:22:44 MDT 2014 

Hello list,

my DC and member server is running Samba 4.1.12. The DC was provisioned with rfc2307 and NIS extensions. Through ADUC tool and the [UNIX Attribute] tab I assigned a uid to the AD user "testuser1" and I also assigned a gid to the AD group "Domain Users". The member server was configured according the official wiki of samba.org. Winbind was configured on the member server and /etc/nsswitch.conf was modified, too like that:

passwd:         compat winbind
group:          compat winbind

My questions are:

(1.) "wbinfo -p", "wbinfo -u" and "wbinfo -g" executed on the member server all are returning correct and expected results. From "wbinfo -u" and "wbinfo -g" I get all the available AD users+groups. From "getent passwd" I get only the AD users, for which a uid on the UNIX attribute exist, in that case "testuser1" is displayed correctly. But when I run "getent group" I don't get the group "Domain Users" although this group also has a gid assigned. The strange thing is that "getent group 'Domain Users'" or "getent group 10000" works fine though:

[root at membersrv1:~$ getent group 'Domain Users'
domain users:x:10000:
[root at membersrv1:~$ getent group 10000
domain users:x:10000:

Why does "getent group" *NOT* returning the AD domain groups, that certainly have a GID assigned as UNIX attribute? I installed a new member server with samba 4.1.11/wheezy-backports and joined it to my DC. The same problem exists on that new member server. I don't get the AD groups displayed by command "getent group" but with " getent group 'Domain Users' " or " getent group 10000 " they are displayed correctly.

Where is that issue related to?

(2.) For my understanding please anyone explain to me. Every user or group I want to make usable on a member server *needs* to have a uid or gid assigned on the [UNIX attribute] tab, correct? On the other side, I was told *NEVER* ever assign a UNIX attribute UID to the "MYDOM\Administrator" account on the [UNIX attribute] tab in ADUC tool. So how should that special user "MYDOM\Administrator" be available for my member server? He cannot in my opinion, and so winbind never will be able to use him.

Any help appreciated. Thanks to all.

Mirco

More information about the samba mailing list