[Samba] default backend = rid not showing full group information for users

Rowland penny rpenny at samba.org
Sat May 2 18:20:46 UTC 2020 

On 02/05/2020 18:59, Jelle de Jong via samba wrote:
> On 2020-05-02 16:42, Rowland penny via samba wrote:
>> On 02/05/2020 15:07, Jelle de Jong via samba wrote:
>>> Am I wrong to expect that id user and getent group should list me 
>>> the groups the user is part of.
>>>
>>> For example wbinfo --group-info=office shows me that user jdoe and 
>>> lgaga are part of the group, but then when doing id jdoe or id lgaga 
>>> the office group is not shown, neither in getent group.
>>>
>>> What should I change in my config to have full group information 
>>> working?
>>>
>>> root at samba01:~# wbinfo --group-info=development
>>> development:x:11111:jdoe
>>>
>>> root at samba01:~# wbinfo --group-info=office
>>> office:x:11106:lgaga,jdoe
>>>
>>> root at samba01:~# getent passwd lgaga
>>> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash
>>>
>>> root at samba01:~# getent passwd jdoe
>>> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash
>>>
>>> root at samba01:~# id jdoe
>>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
>>> users),11157(jdoe),3001(BUILTIN\users)
>>>
>>> root at samba01:~# id lgaga
>>> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
>>> users),11155(lgaga),3001(BUILTIN\users)
>>>
>>> On 2020-05-01 02:00, Jelle de Jong via samba wrote:
>>>> Hello everybody,
>>>>
>>>> I am trying to use the backend = rid but it is not showing me group 
>>>> information of the users after adding the user to the domain groups...
>>>>
>>>> What should I do to have the full group info for the users available?
>> Get the user to login ;-)
>>>>
>>>> https://wiki.samba.org/index.php/Idmap_config_rid
>>>> # All domain's user accounts and groups are automatically available 
>>>> on the domain member.
>>
>> That means that all user accounts will be shown by 'getent passwd' 
>> and all groups will be shown by 'getent group', it doesn't mean that 
>> 'id' will show every group a user is a member of. You can only be 
>> sure of getting a full list of a users groups if the user has logged in.
>
> So I log in as user jdoe and I still do not have access to the group...:
>
> jdoe at samba01:~$ getent group | grep jdoe
> development:x:11111:jdoe
> office:x:11106:jdoe,lgaga
> domain users:x:10513:jdoe,lgaga,administrator,krbtgt
>
> jdoe at samba01:~$ id jdoe
> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
> users),11157(jdoe),3001(BUILTIN\users)
>
> jdoe at samba01:~$ touch test.txt
> jdoe at samba01:~$ chgrp "domain users" test.txt #works!!
> jdoe at samba01:~$ chgrp office test.txt
> chgrp: changing group of 'test.txt': Operation not permitted
>
> Why are the group development and office not available for the users 
> part of this group?
>
> Kind regards,
>
> Jelle de Jong
>
I think you should show us the AD objects for 'jdoe' & 'lgaga'

Rowland

More information about the samba mailing list