[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'

Rowland penny rpenny at samba.org
Thu May 13 16:39:28 UTC 2021 

On 13/05/2021 17:14, Kees van Vloten via samba wrote:
> Hi Samba-team,
>
> I am trying to get my smb-fileserver working as domain-member in a 
> samba-dc domain.
>
> A part of smb.conf [global]:
>
> [global]
>         netbios name = GRIEG
>         security = ADS
>         realm = COMPOSERS.LAN
>         workgroup = COMPOSERS
>         vfs objects = acl_xattr
>         idmap_ldb:use rfc2307 = yes
>         idmap config composers:backend = ad
>         idmap config composers:schema_mode = rfc2307
>         idmap config composers:unix_nss_info = yes
>         idmap config composers:range = 1001-999999
>         idmap config *:backend = tdb
>         idmap config *:range = 1000000-1999999
>         #winbind cache time = 300
>         winbind enum groups = yes
>         winbind enum users = yes
>         #winbind expand groups = 10
>         #winbind normalize names = yes
>         #winbind offline logon = yes
>         winbind refresh tickets = yes
>         #winbind scan trusted domains = yes
>         winbind use default domain = yes
>
> Some lines of /etc/nsswitch.conf:
>
> passwd:         files winbind
> group:          files winbind
> shadow:         files
> gshadow:        files
>
> With 'winbind use default domain = yes', 'getent group' returns all 
> groups properly, although there a slow down when it starts listing the 
> domain groups. Such slow down is not visible when listing users with 
> 'getent passwd'.
>
> When I do 'getent group mygroup', nothing is returned.
>
> With winbind use default domain = no', 'getent group' still works 
> properly but there is no slow down on domain groups and 'getent group 
> COMPOSERS\\mygroup' now returns the group details as expected.
>
> I would prefer to have 'winbind use default domain = yes'. What can I 
> do to make domain group lookups work properly?


To be honest, 'getent group' shouldn't work in a production domain, for 
the very reason you have found. I would remove the two 'winbind enum' 
lines, you do not need them, user & group lookup will work without them. 
You will then need to use 'getent user username' & 'getent group 
groupname'. Why this isn't working for you will need more investigation:

Have you given your AD users a uidNumber attribute containing a unique 
number inside the '1001-999999' range you have set in your smb.conf ?

Speaking of which, why did you start the range at '1001' ?

Have you given Domain Users a gidNumber attribute inside the same range ?

What OS are you using ?

What version of Samba are you using ?

Rowland

More information about the samba mailing list