[Samba] No domaingroups with getent group

Wed Oct 29 04:36:19 MDT 2014

On 29/10/14 10:27, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Rowland,
>
> Am 29.10.14 um 11:03 schrieb Rowland Penny:
>> On 29/10/14 09:31, Stefan Kania wrote: Hello,
>>
>> after I joined an new machine into my domain, "getent group" is
>> not showing any domaingroup.
>>> This is a known feature, if you want 'getent group' to work like
>>> 'getent passwd', you will need to give every group a gidNumber.
> On the domaincontrollers it is working. I checked in RSAT every Group
> has a GID in teh "UNIX-Attribute" tag.
>
>> The domainusers are listet with "getent passwd" as expected. In
>> nsswitch.conf winbind is used with "passwd" and "group". Wbinfo -g
>> shows all groups. "net rpc testjoin" gives the right result. I can
>> get a Kerberos-Ticket with "kinit" for all users. I can use
>> Kerberos-autentication with "smbclient -L host -k" A "chgrp 'domain
>> admins' file" gives "chgrp: invalid group: ‘domain admins’"
>>> If I try to change the group ownership of a file on a client, I
>>> get this:
>>> chgrp 'domain admins' testfile.txt chgrp: changing group of
>>> ‘testfile.txt’: Operation not permitted
>>> But if I use sudo, it works
>>> sudo chgrp 'domain admins' testfile.txt
> I do it as "root" so I don't need sudo
>
>>> ls -la testfile.txt -rw-r--r-- 1 rowland domain_admins 0 Oct 29
>>> 09:47 testfile.txt
>>> Can you post the result of:
>>> getent group Domain\ Admins
> root at SVL-V-5:/var/lib/samba# getent group Domain\ Admins
> domain admins:x:100512:etec,bafu,kljo,rawe
>
> But "getent group" is not showing any domaingroup.
> In smb.conf I have "winbind enum group = yes" and "winbind enum users
> = Yes" set.
>
> Stwefan
This is **NOT** a problem, as long as 'getent group <groupname>' works, 
then those groups that are shown this way are available to Unix, as I 
said, if you want **EVERY** group to be shown by 'getent group', you 
will need to add a gidNumber to every group.

What is more worrying is that you do not seem to be able to 'chgrp' a 
file, could you please post a (sanitized) copy of your smb.conf from the 
member server.

Rowland
>>> Rowland
>> But if I da a "chgrp 100512 file" groupownership ist set to "domain
>> admins" AND shows the name of the group and NOT just the ID. It's a
>> Memberserver and not a DC.
>>
>> Any hint where I should look?
>>
>> Thanks
>>
>> Stefan
>>
>>
> - -- 
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
>
>
> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
> E-Mail. Weiter Informationen unter http://www.gnupg.org
>
> Mein Schlüssel liegt auf
>
> hkp://subkeys.pgp.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>
> iEYEARECAAYFAlRQwQoACgkQ2JOGcNAHDTbYogCfbqrWD456yOIHTp92mUa3/vEn
> 7TYAoMVU4/kSzjVaAdwnegKacJnW1IRd
> =XE+s
> -----END PGP SIGNATURE-----