[Samba] [samba] getent group [groupname] do not show users

mathias dufresne infractory at gmail.com
Wed Oct 5 15:28:22 UTC 2016


*"winbind expand groups" *was what I missed.
By default this option is set to 0 which means no users displayed in groups
(using getent)

Setting that option to 1 means "display users in groups but no recursion"
Then 2 means 1 level of recursion in case of nested groups.

That option seems quite dangerous for performance when a lot of groups
exists, some are nested in others and you accept enumeration of groups
(using "getent groups" without specifying any group name).

2016-10-05 13:36 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Hum, that's strange:
>
> smbfs20:~# getent group Domain\ Users
> domain users:x:3100035:
>
> So no users displayed. smbfsXY are my test file servers, so members only.
>
> Regarding usage of samba-tool on members for now it not possible as
> package containing that tool is not installed on members. For now this
> stands as a choice: samba-tool is very powerful and I'm not too fond to
> deploy on machines which are not DC, where almost anyone can connect.
>
> I expect a development choice for performance reasons to be the reason
> "getent group [grpname]" does not show group's content. An option to
> activate or deactivate that behavior would have great!
>
> Cheers
>
> 2016-10-05 12:22 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>
> :
>
>> On Wed, 5 Oct 2016 12:04:53 +0200
>> mathias dufresne via samba <samba at lists.samba.org> wrote:
>>
>> > I just tested on some DC running also 4.4.5 and "getent group
>> > my_group" does not show groups content.
>> >
>> > I read here
>> > http://serverfault.com/questions/625416/samba-4-group-
>> members-not-shown-in-getent-group
>> > a proposal to use samba-tool as a replacement but samba-tool is not
>> > available on member servers which make that workaround not usable in
>> > most cases...
>> >
>> > 2016-10-05 11:40 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>> >
>> > > Hi all,
>> > >
>> > > With Samba 4.4.5, on member servers (I did not tried yet on DCs),
>> > > using "getent group" with or without specifying a group name groups
>> > > are shown but they are shown as empty groups, no user name is
>> > > displayed.
>> > >
>> > > Is there a way to make them displayed?
>> > >
>> > > Cheers,
>> > >
>> > > Mathias
>> > >
>>
>> It has never worked on DC, but I use 4.4.4 on a domain member and if I
>> run 'getent group Domain\ Users' , I get all my users.
>>
>> You can use samba-tool on a domain member, you just need to point it at
>> a DC:
>>
>> samba-tool group listmembers Domain\ Users -H ldap://dc1 -UAdministrator
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>


More information about the samba mailing list