[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'
Rowland penny
rpenny at samba.org
Thu May 13 17:43:36 UTC 2021
On 13/05/2021 17:47, Kees van Vloten wrote:
>
> Hi Rowland,
>
> Sorry about the incomplete info.
>
> I am using Samba 4.14 from Louis' repo on Debian buster.
>
> There are no local users above 1000 and indeed all users uidNumber and
> gidNumber set and all groups that can appear as a unix-group have a
> gidNumber.
>
> An example of something that works:
>
> id test3
> uid=2000(test3) gid=2000(grp_test3)
> groups=2000(grp_test3),100016(domain
> users),100014(acl-smb_share_group-full),100002(acl-servers_all-user_access),100003(acl-servers_all-sudo_root),100012(acl-smb_share_windows_deploy-full),100009(acl-app_wireshark-access),100008(acl-app_netdata-access),100018(acl-app_rspamd-access),100017(acl-app_servicedesk-access),1000001(BUILTIN\users)
>
> Then when I try 'chgrp grp_test3 testfile' that fails because 'getent
> group grp_test3' fails.
>
>
> - Kees.
>
>
OK, First, remove this line: idmap_ldb:use rfc2307 = yes
It should only be in a DC smb.conf
I don't think it has anything to do with your problem, but it shouldn't
be there.
Lets double check the gidNumber attributes are there:
ldbsearch -H ldap://$(hostname -s) -b "$(echo "dc=$(hostname -d)" | sed
's/\./,dc=/g')" -s sub '(&(objectClass=group)(sAMAccountName=Domain
Users))' gidNumber -P | grep 'gidNumber' | sed 's/gidNumber: //'
This should result in '100016'
ldbsearch -H ldap://$(hostname -s) -b "$(echo "dc=$(hostname -d)" | sed
's/\./,dc=/g')" -s sub
'(&(objectClass=group)(sAMAccountName=grp_test3))' gidNumber -P | grep
'gidNumber' | sed 's/gidNumber: //'
This should result in '2000'
Lets go from there.
Rowland
More information about the samba
mailing list