[Samba] No domaingroups with getent group (solved)

Rowland Penny rowlandpenny at googlemail.com
Wed Oct 29 05:37:20 MDT 2014 

On 29/10/14 11:29, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hallo,
>
> here ist my smb.conf
> - -------
>          workgroup = aaa
>          realm = aaa.bbb
>          security = ADS
>          wins server = 192.168.111.230
>          registry shares = Yes
>          template shell = /bin/bash
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nss info = rfc2307
>          winbind refresh tickets = Yes
>          idmap config * : = backend = tdb
>          idmap config ntd : backend = rid
>          idmap config ntd : range = 100000-199999
>          idmap config * : range = 1000000-1999999
>          idmap config * : backend = tdb
>          map acl inherit = Yes
>          store dos attributes = Yes
>          vfs objects = acl_xattr
> - -------

I would suggest that you remove this line:

idmap config * : = backend = tdb

You are using the correct format lower down ;-)

Rowland


> Now what I did:
> Stopped winbind. Removed winbindd_cache.tdb and winbindd_idmap.tdb.
> Then I did a reboot to realy restart everything.
> Now it's working like it should. I can change permissions I can set
> privileges.
> Thanks for your help
>
> Stefan
>
>
> Am 29.10.14 um 11:36 schrieb Rowland Penny:
>> On 29/10/14 10:27, Stefan Kania wrote: Hi Rowland,
>>
>> Am 29.10.14 um 11:03 schrieb Rowland Penny:
>>>>> On 29/10/14 09:31, Stefan Kania wrote: Hello,
>>>>>
>>>>> after I joined an new machine into my domain, "getent group"
>>>>> is not showing any domaingroup.
>>>>>> This is a known feature, if you want 'getent group' to work
>>>>>> like 'getent passwd', you will need to give every group a
>>>>>> gidNumber.
>> On the domaincontrollers it is working. I checked in RSAT every
>> Group has a GID in teh "UNIX-Attribute" tag.
>>
>>>>> The domainusers are listet with "getent passwd" as expected.
>>>>> In nsswitch.conf winbind is used with "passwd" and "group".
>>>>> Wbinfo -g shows all groups. "net rpc testjoin" gives the
>>>>> right result. I can get a Kerberos-Ticket with "kinit" for
>>>>> all users. I can use Kerberos-autentication with "smbclient
>>>>> -L host -k" A "chgrp 'domain admins' file" gives "chgrp:
>>>>> invalid group: ‘domain admins’"
>>>>>> If I try to change the group ownership of a file on a
>>>>>> client, I get this: chgrp 'domain admins' testfile.txt
>>>>>> chgrp: changing group of ‘testfile.txt’: Operation not
>>>>>> permitted But if I use sudo, it works sudo chgrp 'domain
>>>>>> admins' testfile.txt
>> I do it as "root" so I don't need sudo
>>
>>>>>> ls -la testfile.txt -rw-r--r-- 1 rowland domain_admins 0
>>>>>> Oct 29 09:47 testfile.txt Can you post the result of:
>>>>>> getent group Domain\ Admins
>> root at SVL-V-5:/var/lib/samba# getent group Domain\ Admins domain
>> admins:x:100512:etec,bafu,kljo,rawe
>>
>> But "getent group" is not showing any domaingroup. In smb.conf I
>> have "winbind enum group = yes" and "winbind enum users = Yes"
>> set.
>>
>> Stwefan
>>> This is **NOT** a problem, as long as 'getent group <groupname>'
>>> works, then those groups that are shown this way are available to
>>> Unix, as I said, if you want **EVERY** group to be shown by
>>> 'getent group', you will need to add a gidNumber to every group.
>>> What is more worrying is that you do not seem to be able to
>>> 'chgrp' a file, could you please post a (sanitized) copy of your
>>> smb.conf from the member server.
>>> Rowland
>>>>>> Rowland
>>>>> But if I da a "chgrp 100512 file" groupownership ist set to
>>>>> "domain admins" AND shows the name of the group and NOT just
>>>>> the ID. It's a Memberserver and not a DC.
>>>>>
>>>>> Any hint where I should look?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Stefan
>>>>>
>>>>>
>> -- Stefan Kania Landweg 13 25693 St. Michaelisdonn
>>
>>
>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie
>> ihre E-Mail. Weiter Informationen unter http://www.gnupg.org
>>
>> Mein Schlüssel liegt auf
>>
>> hkp://subkeys.pgp.net
>>
>>
> - -- 
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
>
>
> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
> E-Mail. Weiter Informationen unter http://www.gnupg.org
>
> Mein Schlüssel liegt auf
>
> hkp://subkeys.pgp.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>
> iEYEARECAAYFAlRQz5gACgkQ2JOGcNAHDTbfKwCgnUbzX/5ANHNMiW4I4a4k7v6k
> qpgAn05rrj4lsMg07zLZfosCfKPEMD2b
> =0wQQ
> -----END PGP SIGNATURE-----

More information about the samba mailing list