[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'

Rowland penny rpenny at samba.org
Thu May 13 18:07:35 UTC 2021


On 13/05/2021 18:43, Rowland penny via samba wrote:
> On 13/05/2021 17:47, Kees van Vloten wrote:
>>
>> Hi Rowland,
>>
>> Sorry about the incomplete info.
>>
>> I am using Samba 4.14 from Louis' repo on Debian buster.
>>
>> There are no local users above 1000 and indeed all users uidNumber 
>> and gidNumber set and all groups that can appear as a unix-group have 
>> a gidNumber.
>>
>> An example of something that works:
>>
>> id test3
>> uid=2000(test3) gid=2000(grp_test3) 
>> groups=2000(grp_test3),100016(domain 
>> users),100014(acl-smb_share_group-full),100002(acl-servers_all-user_access),100003(acl-servers_all-sudo_root),100012(acl-smb_share_windows_deploy-full),100009(acl-app_wireshark-access),100008(acl-app_netdata-access),100018(acl-app_rspamd-access),100017(acl-app_servicedesk-access),1000001(BUILTIN\users)
>>
>> Then when I try 'chgrp grp_test3 testfile' that fails because 'getent 
>> group grp_test3' fails.
>>
>>
>> - Kees.
>>
>>
>
> OK, First, remove this line: idmap_ldb:use rfc2307 = yes
> It should only be in a DC smb.conf
> I don't think it has anything to do with your problem, but it 
> shouldn't be there.
>
> Lets double check the gidNumber attributes are there:
>
> ldbsearch -H ldap://$(hostname -s) -b "$(echo "dc=$(hostname -d)" | 
> sed 's/\./,dc=/g')" -s sub 
> '(&(objectClass=group)(sAMAccountName=Domain Users))' gidNumber -P | 
> grep 'gidNumber' | sed 's/gidNumber: //'
>
> This should result in '100016'
>
> ldbsearch -H ldap://$(hostname -s) -b "$(echo "dc=$(hostname -d)" | 
> sed 's/\./,dc=/g')" -s sub 
> '(&(objectClass=group)(sAMAccountName=grp_test3))' gidNumber -P | grep 
> 'gidNumber' | sed 's/gidNumber: //'
>
> This should result in '2000'
>
> Lets go from there.
>
> Rowland
>
>

OOPs, I should have said to run the ldbsearch commands on a DC

Rowland





More information about the samba mailing list