[Samba] default backend = rid not showing full group information for users

Jelle de Jong jelledejong at powercraft.nl
Sat May 2 18:28:59 UTC 2020 


On 2020-05-02 20:20, Rowland penny via samba wrote:
> On 02/05/2020 18:59, Jelle de Jong via samba wrote:
>> On 2020-05-02 16:42, Rowland penny via samba wrote:
>>> On 02/05/2020 15:07, Jelle de Jong via samba wrote:
>>>> Am I wrong to expect that id user and getent group should list me 
>>>> the groups the user is part of.
>>>>
>>>> For example wbinfo --group-info=office shows me that user jdoe and 
>>>> lgaga are part of the group, but then when doing id jdoe or id lgaga 
>>>> the office group is not shown, neither in getent group.
>>>>
>>>> What should I change in my config to have full group information 
>>>> working?
>>>>
>>>> root at samba01:~# wbinfo --group-info=development
>>>> development:x:11111:jdoe
>>>>
>>>> root at samba01:~# wbinfo --group-info=office
>>>> office:x:11106:lgaga,jdoe
>>>>
>>>> root at samba01:~# getent passwd lgaga
>>>> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash
>>>>
>>>> root at samba01:~# getent passwd jdoe
>>>> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash
>>>>
>>>> root at samba01:~# id jdoe
>>>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
>>>> users),11157(jdoe),3001(BUILTIN\users)
>>>>
>>>> root at samba01:~# id lgaga
>>>> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
>>>> users),11155(lgaga),3001(BUILTIN\users)
>>>>
>>>> On 2020-05-01 02:00, Jelle de Jong via samba wrote:
>>>>> Hello everybody,
>>>>>
>>>>> I am trying to use the backend = rid but it is not showing me group 
>>>>> information of the users after adding the user to the domain groups...
>>>>>
>>>>> What should I do to have the full group info for the users available?
>>> Get the user to login ;-)
>>>>>
>>>>> https://wiki.samba.org/index.php/Idmap_config_rid
>>>>> # All domain's user accounts and groups are automatically available 
>>>>> on the domain member.
>>>
>>> That means that all user accounts will be shown by 'getent passwd' 
>>> and all groups will be shown by 'getent group', it doesn't mean that 
>>> 'id' will show every group a user is a member of. You can only be 
>>> sure of getting a full list of a users groups if the user has logged in.
>>
>> So I log in as user jdoe and I still do not have access to the group...:
>>
>> jdoe at samba01:~$ getent group | grep jdoe
>> development:x:11111:jdoe
>> office:x:11106:jdoe,lgaga
>> domain users:x:10513:jdoe,lgaga,administrator,krbtgt
>>
>> jdoe at samba01:~$ id jdoe
>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
>> users),11157(jdoe),3001(BUILTIN\users)
>>
>> jdoe at samba01:~$ touch test.txt
>> jdoe at samba01:~$ chgrp "domain users" test.txt #works!!
>> jdoe at samba01:~$ chgrp office test.txt
>> chgrp: changing group of 'test.txt': Operation not permitted
>>
>> Why are the group development and office not available for the users 
>> part of this group?
>>
>> Kind regards,
>>
>> Jelle de Jong
>>
> I think you should show us the AD objects for 'jdoe' & 'lgaga'

root at s4ad01:~# samba-tool user show jdoe
ldb_wrap open of secrets.ldb
dn: CN=John Doe,CN=Users,DC=samdom,DC=powercraft,DC=nl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: John Doe
givenName: John Doe
instanceType: 4
whenCreated: 20200430223428.0Z
displayName: John Doe
uSNCreated: 6013
name: John Doe
objectGUID: 39dd50a7-9759-4d94-b7d5-292b0b6685da
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-2973048184-1977035664-260764756-1157
accountExpires: 9223372036854775807
sAMAccountName: jdoe
sAMAccountType: 805306368
userPrincipalName: jdoe at samdom.powercraft.nl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=powercraft
  ,DC=nl
loginShell: /bin/bash
pwdLastSet: 132327596685766050
userAccountControl: 512
lastLogonTimestamp: 132327597082583380
homeDrive: H:
homeDirectory: \\SAMBA01\users\jdoe
whenChanged: 20200430231011.0Z
uSNChanged: 6020
memberOf: CN=office,CN=Users,DC=samdom,DC=powercraft,DC=nl
memberOf: CN=development,CN=Users,DC=samdom,DC=powercraft,DC=nl
lastLogon: 132329156295792050
logonCount: 12
distinguishedName: CN=John Doe,CN=Users,DC=samdom,DC=powercraft,DC=nl

root at s4ad01:~# samba-tool user show lgaga
ldb_wrap open of secrets.ldb
dn: CN=Lady Gaga,CN=Users,DC=samdom,DC=powercraft,DC=nl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Lady Gaga
givenName: Lady Gaga
instanceType: 4
whenCreated: 20200430222112.0Z
displayName: Lady Gaga
uSNCreated: 6002
name: Lady Gaga
objectGUID: 6a86c792-c177-4797-a4fd-99c4379dab82
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\SAMBA01\users\lgaga
homeDrive: H
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-2973048184-1977035664-260764756-1155
accountExpires: 9223372036854775807
sAMAccountName: lgaga
sAMAccountType: 805306368
userPrincipalName: lgaga at samdom.powercraft.nl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=powercraft
  ,DC=nl
loginShell: /bin/bash
pwdLastSet: 132327588724653300
userAccountControl: 512
lastLogonTimestamp: 132327588827098890
whenChanged: 20200430222122.0Z
uSNChanged: 6006
lastLogon: 132327592186315850
logonCount: 4
memberOf: CN=office,CN=Users,DC=samdom,DC=powercraft,DC=nl
distinguishedName: CN=Lady Gaga,CN=Users,DC=samdom,DC=powercraft,DC=nl


Jelle de Jong

More information about the samba mailing list