[Samba] Samba4: "MYDOM\Administrator" quite useless on a member server?

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 23 06:04:26 MDT 2014 

On 23/10/14 12:22, ?icro MEGAS wrote:
> Hello list,
>
> my DC and member server is running Samba 4.1.12. The DC was provisioned with rfc2307 and NIS extensions. Through ADUC tool and the [UNIX Attribute] tab I assigned a uid to the AD user "testuser1" and I also assigned a gid to the AD group "Domain Users". The member server was configured according the official wiki of samba.org. Winbind was configured on the member server and /etc/nsswitch.conf was modified, too like that:
>
> passwd:         compat winbind
> group:          compat winbind
>
> My questions are:
>
> (1.) "wbinfo -p", "wbinfo -u" and "wbinfo -g" executed on the member server all are returning correct and expected results. From "wbinfo -u" and "wbinfo -g" I get all the available AD users+groups. From "getent passwd" I get only the AD users, for which a uid on the UNIX attribute exist, in that case "testuser1" is displayed correctly. But when I run "getent group" I don't get the group "Domain Users" although this group also has a gid assigned. The strange thing is that "getent group 'Domain Users'" or "getent group 10000" works fine though:
>
> [root at membersrv1:~$ getent group 'Domain Users'
> domain users:x:10000:
> [root at membersrv1:~$ getent group 10000
> domain users:x:10000:
>
> Why does "getent group" *NOT* returning the AD domain groups, that certainly have a GID assigned as UNIX attribute? I installed a new member server with samba 4.1.11/wheezy-backports and joined it to my DC. The same problem exists on that new member server. I don't get the AD groups displayed by command "getent group" but with " getent group 'Domain Users' " or " getent group 10000 " they are displayed correctly.
>
> Where is that issue related to?
It is related to a known problem, if indeed it is a problem, you will 
have to give **every** group a gidNumber to get 'getent group' to work 
like 'getent paswd'. If I was you, I wouldn't worry about it, everything 
else seems to work.

>
> (2.) For my understanding please anyone explain to me. Every user or group I want to make usable on a member server *needs* to have a uid or gid assigned on the [UNIX attribute] tab, correct? On the other side, I was told *NEVER* ever assign a UNIX attribute UID to the "MYDOM\Administrator" account on the [UNIX attribute] tab in ADUC tool. So how should that special user "MYDOM\Administrator" be available for my member server? He cannot in my opinion, and so winbind never will be able to use him.

Look. ignore what ever dev it was that told you not to use the smbmap, 
just use it, **everybody** who has any sense uses it.

Rowland

>
> Any help appreciated. Thanks to all.
>
> Mirco

More information about the samba mailing list