[Samba] Samba as AD member can not validate domain user
Rowland Penny
rowlandpenny at googlemail.com
Mon Apr 13 07:30:29 MDT 2015
On 13/04/15 13:40, jd at ionica.lv wrote:
>
> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> I found one additional problem - when I request Domain Users group
>>> information, no users are listed
>>>
>>> gentent group "INTERNAL\\Domain Users" returns plain
>>> domain_users:x:10000:
>>> the same goes on DC.
>>>
>>> Do I need to create alternative Domain Users group?
>>>
>>>
>> No, "INTERNAL\\Domain Users" is the same group as 'domain_users', you
>> probably have 'winbind normalize names = Yes' in smb.conf
>
> it is strange, because
> gentent group "INTERNAL\\Domain Admins"
> returns what is expected - gid and list of persons in the group
>
> Janis
>
No, not strange, just the way you have formatted the getent command,
this is what I get on my laptop with different formatting:
rowland at ThinkPad ~ $ getent group "EXAMPLE\\Domain Admins"
domain_admins:x:10002:s4admin,administrator
rowland at ThinkPad ~ $ getent group EXAMPLE\\Domain\ Admins
domain_admins:x:10002:s4admin,administrator
rowland at ThinkPad ~ $ getent group EXAMPLE\\domain_admins
domain_admins:x:10002:s4admin,administrator
rowland at ThinkPad ~ $ getent group domain_admins
domain_admins:x:10002:s4admin,administrator
The same commands on a DC:
root at dc01:~# getent group "EXAMPLE\\Domain Admins"
EXAMPLE\Domain Admins:*:10002:
root at dc01:~# getent group EXAMPLE\\Domain\ Admins
EXAMPLE\Domain Admins:*:10002:
root at dc01:~# getent group EXAMPLE\\domain_admins
root at dc01:~# getent group domain_admins
As you can see, it differs between the two machine, you cannot seem to
'normalise' the group names on a Samba AD DC.
Rowland
More information about the samba
mailing list