[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4

Goto, Ryoichi rgoto at oec.co.jp
Wed Feb 19 02:16:31 UTC 2020 

Hi,

When using AD authentication from a rhel8.1 environment with samba-4.10.4 installed, information on the primary group group01 set on
the AD side for any user user01 cannot be obtained.
[root @ rhel8_1 ~] # id user01
uid=2001107(user01) gid=2000513(domain users) groups=2000513(domain users),2001107(oec0814e),2001103(group01)
If you perform the same operation on the same AD from the samba-3.6.23 rhel6.6 environment, you will get the correct information as
follows:
[root @ rhel6_6 ~] # id user01
uid=2001107(user01) gid=2001103(group01) groups=2000513(domain users), 2001107(oec0814e)

Regarding this, from the support contact of the OS system, "It seems that there was a problem with samba-4.9.1-8.el8 (RHEL8.0), but
it has been resolved with samba-4.10.0-1.el8" I received information.
"However, it is necessary to log in once with the relevant user using" wbinfo -a "." After actually executing "whois -a" arbitrary
user% that user's password ", the primary group information set in AD on the implementation Linux side could be obtained.
root @ rhel8_1 ~] # id user01
uid=2001107(user01) gid=2000513(domain users) groups=2000513(domain users), 2001107(oec0814e),2001103(group01)
[root @ rhel8_1 ~] # wbinfo -i user01
user01:*:2001107:2000513::/home/Domain Users/user01:/bin/bash
[root @ rhel8_1 ~] # wbinfo -a user01% passwd.12
plaintext password authentication succeeded
challenge / response password authentication succeeded
[root @ rhel8_1 ~] # wbinfo -i user01
user01:*:2001107:2001103:user01:/home/group01/user01:/bin/bash
[root @ rhel8_1 ~] # id user01
uid = 2001107 (user01) gid = 2001103 (group01) groups=2001103(group01),2001107(user01),2000513(domain users)
[root @ rhel8_1 ~] #

However, this is not the solution in my case. Because there are already hundreds of users registered on the AD server so far, most
of them have set their own passwords, and I can not know those passwords.
In addition, we cannot ask each user to start the interface program to execute "wbinfo -a" and re-enter the password.

Is there any way to get the primary group of AD registered user on rhel8.1 side by batch processing without using each user's
password?

Thanks
R.G.

More information about the samba mailing list