[Samba] Winbind missing secondary groups
Rowland Penny
rpenny at samba.org
Wed Jul 27 19:19:27 UTC 2022
On Wed, 2022-07-27 at 14:58 -0400, Luc Lalonde via samba wrote:
> Hello,
>
> I can't seem to get a user's secondary groups to show up...
>
> Here are the pertinent lines in my configuration:
>
> ### /etc/nsswitch.conf ###
>
> passwd: files winbind
> shadow: files
> group: files winbind
> initgroups: files
> hosts: files dns
> ####################
>
> ### /etc/samba/smb.conf ###
>
> idmap config *:backend = tdb
> idmap config *:range = 200-999
> idmap config EXAMPLE:backend = ad
> idmap config EXAMPLE:schema_mode = rfc2307
> idmap config EXAMPLE:range = 1000-999999
> idmap config EXAMPLE : read only = yes
Where did you get that line from ? I do not recognise it in relation to
the 'ad idmap backend.
> idmap config EXAMPLE : unix_nss_info = yes
> idmap config EXAMPLE : unix_primary_group = yes
> winbind nss info = rfc2307
You do not use that with the 'ad' idmap backend, it is set in the
'idmap config' lines.
> winbind use default domain = yes
> winbind expand groups = 3
Try a different number, I use '2' and it works for myself.
> winbind refresh tickets = Yes
> winbind enum groups = Yes
> winbind enum users = Yes
You do not need those 'enum' lines, it will work without them.
>
> #####################
>
> Here's what I get:
>
> [llalonde at moe5 ~]$ id
> uid=12690(llalonde) gid=7006(foo) groups=7006(foo)
> [llalonde at moe5 ~]$ getent group admingroup
> admingroup:x:8000:llalonde,sccmadmin
>
> On another Linux client using SSSD, here's what I get:
>
> uid=12690(llalonde) gid=7006(foo) groups=7006(foo),8000(admingroup)
>
> What am I missing? I think that this is the last missing detail
> before
> I drop SSSD.
Does 'Domain Users' have a gidNumber ?
Do all your users have a uidNumber & gidNumber ?
Do all your groups have a gidNumber ?
Are all these numbers inside the 1000-999999 range ?
Rowland
More information about the samba
mailing list