[Samba] No domaingroups with getent group (solved)

Stefan Kania stefan at kania-online.de
Wed Oct 29 05:29:28 MDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hallo,

here ist my smb.conf
- -------
        workgroup = aaa
        realm = aaa.bbb
        security = ADS
        wins server = 192.168.111.230
        registry shares = Yes
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        idmap config * : = backend = tdb
        idmap config ntd : backend = rid
        idmap config ntd : range = 100000-199999
        idmap config * : range = 1000000-1999999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr
- -------

Now what I did:
Stopped winbind. Removed winbindd_cache.tdb and winbindd_idmap.tdb.
Then I did a reboot to realy restart everything.
Now it's working like it should. I can change permissions I can set
privileges.
Thanks for your help

Stefan


Am 29.10.14 um 11:36 schrieb Rowland Penny:
> On 29/10/14 10:27, Stefan Kania wrote: Hi Rowland,
> 
> Am 29.10.14 um 11:03 schrieb Rowland Penny:
>>>> On 29/10/14 09:31, Stefan Kania wrote: Hello,
>>>> 
>>>> after I joined an new machine into my domain, "getent group"
>>>> is not showing any domaingroup.
>>>>> This is a known feature, if you want 'getent group' to work
>>>>> like 'getent passwd', you will need to give every group a
>>>>> gidNumber.
> On the domaincontrollers it is working. I checked in RSAT every
> Group has a GID in teh "UNIX-Attribute" tag.
> 
>>>> The domainusers are listet with "getent passwd" as expected.
>>>> In nsswitch.conf winbind is used with "passwd" and "group".
>>>> Wbinfo -g shows all groups. "net rpc testjoin" gives the
>>>> right result. I can get a Kerberos-Ticket with "kinit" for
>>>> all users. I can use Kerberos-autentication with "smbclient
>>>> -L host -k" A "chgrp 'domain admins' file" gives "chgrp:
>>>> invalid group: ‘domain admins’"
>>>>> If I try to change the group ownership of a file on a
>>>>> client, I get this: chgrp 'domain admins' testfile.txt
>>>>> chgrp: changing group of ‘testfile.txt’: Operation not
>>>>> permitted But if I use sudo, it works sudo chgrp 'domain
>>>>> admins' testfile.txt
> I do it as "root" so I don't need sudo
> 
>>>>> ls -la testfile.txt -rw-r--r-- 1 rowland domain_admins 0
>>>>> Oct 29 09:47 testfile.txt Can you post the result of: 
>>>>> getent group Domain\ Admins
> root at SVL-V-5:/var/lib/samba# getent group Domain\ Admins domain
> admins:x:100512:etec,bafu,kljo,rawe
> 
> But "getent group" is not showing any domaingroup. In smb.conf I
> have "winbind enum group = yes" and "winbind enum users = Yes"
> set.
> 
> Stwefan
>> This is **NOT** a problem, as long as 'getent group <groupname>'
>> works, then those groups that are shown this way are available to
>> Unix, as I said, if you want **EVERY** group to be shown by
>> 'getent group', you will need to add a gidNumber to every group.
> 
>> What is more worrying is that you do not seem to be able to
>> 'chgrp' a file, could you please post a (sanitized) copy of your
>> smb.conf from the member server.
> 
>> Rowland
>>>>> Rowland
>>>> But if I da a "chgrp 100512 file" groupownership ist set to
>>>> "domain admins" AND shows the name of the group and NOT just
>>>> the ID. It's a Memberserver and not a DC.
>>>> 
>>>> Any hint where I should look?
>>>> 
>>>> Thanks
>>>> 
>>>> Stefan
>>>> 
>>>> 
> -- Stefan Kania Landweg 13 25693 St. Michaelisdonn
> 
> 
> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie
> ihre E-Mail. Weiter Informationen unter http://www.gnupg.org
> 
> Mein Schlüssel liegt auf
> 
> hkp://subkeys.pgp.net
> 
> 

- -- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iEYEARECAAYFAlRQz5gACgkQ2JOGcNAHDTbfKwCgnUbzX/5ANHNMiW4I4a4k7v6k
qpgAn05rrj4lsMg07zLZfosCfKPEMD2b
=0wQQ
-----END PGP SIGNATURE-----

More information about the samba mailing list