[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'
rpenny at samba.org
Thu May 13 16:39:28 UTC 2021
On 13/05/2021 17:14, Kees van Vloten via samba wrote:
> Hi Samba-team,
> I am trying to get my smb-fileserver working as domain-member in a
> samba-dc domain.
> A part of smb.conf [global]:
> netbios name = GRIEG
> security = ADS
> realm = COMPOSERS.LAN
> workgroup = COMPOSERS
> vfs objects = acl_xattr
> idmap_ldb:use rfc2307 = yes
> idmap config composers:backend = ad
> idmap config composers:schema_mode = rfc2307
> idmap config composers:unix_nss_info = yes
> idmap config composers:range = 1001-999999
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1999999
> #winbind cache time = 300
> winbind enum groups = yes
> winbind enum users = yes
> #winbind expand groups = 10
> #winbind normalize names = yes
> #winbind offline logon = yes
> winbind refresh tickets = yes
> #winbind scan trusted domains = yes
> winbind use default domain = yes
> Some lines of /etc/nsswitch.conf:
> passwd: files winbind
> group: files winbind
> shadow: files
> gshadow: files
> With 'winbind use default domain = yes', 'getent group' returns all
> groups properly, although there a slow down when it starts listing the
> domain groups. Such slow down is not visible when listing users with
> 'getent passwd'.
> When I do 'getent group mygroup', nothing is returned.
> With winbind use default domain = no', 'getent group' still works
> properly but there is no slow down on domain groups and 'getent group
> COMPOSERS\\mygroup' now returns the group details as expected.
> I would prefer to have 'winbind use default domain = yes'. What can I
> do to make domain group lookups work properly?
To be honest, 'getent group' shouldn't work in a production domain, for
the very reason you have found. I would remove the two 'winbind enum'
lines, you do not need them, user & group lookup will work without them.
You will then need to use 'getent user username' & 'getent group
groupname'. Why this isn't working for you will need more investigation:
Have you given your AD users a uidNumber attribute containing a unique
number inside the '1001-999999' range you have set in your smb.conf ?
Speaking of which, why did you start the range at '1001' ?
Have you given Domain Users a gidNumber attribute inside the same range ?
What OS are you using ?
What version of Samba are you using ?
More information about the samba