[Samba] chgrp "Domain Admins" on folder return invalid group "Domain Admins"

[Rowland penny]

On 05/04/16 13:46, Jules Houantonon wrote:
> Dear all,
>
> thank you for your previous mails. It realy help me.
>
> Denis, Following your mail and thanks to  the link  i configure my 
> /etc/nsswitch.conf file  by adding windbind to user and group line and 
> execute winbindd command.
>
> As i install samba4 from sernet package, init script are created for 
> starting AD, smbd, nmbd and winbindd. But i read that smbd, nmd and 
> winbindd should be disable to start samba4 in AD mode. There were even 
> a Warning that were generated if windbindd service were kept started. 
> So I do not touch them, as they are disabled.

It has been sometime since I used a Sernet package, but I seem to 
remember that it came with an init script to start the 'samba' deamon 
and this will start any other required deamons, try looking in /etc/init.d

>
> But after making nsswitch.conf changes, I am able to execute chgrp 
> "domain admins" /home/demo succesfully and ls -l /home display the 
> permission with the suitable group.
>
> wbinfo -u also return the users created from AD as wbinfo -g also 
> display AD domaine groups.
>

All 'wbinfo' shows is that winbindd is running, you need to get 'getent 
passwd' to show users and 'getent group' to show groups. Any users & 
groups that getent does not show, are unknown to the underlying Unix OS.

> I supposethat things are OK now.
>
> But when i try the getent passwd
> I do not have domain user display. Only local users account appear.
>

You normally need to give any users that you need to be visible to Unix, 
a unique uidNumber attribute, but on a DC you should get an xidNumber in 
the 3000000 range.

Do you have users in /etc/passwd that are in AD ?
If so, choose where you want the user to exist and delete the other, 
they cannot be in both databases.

Rowland