[Samba] Winbind missing secondary groups

Luc Lalonde Luc.Lalonde at polymtl.ca
Fri Jul 29 00:30:54 UTC 2022 

I found the culprit!

I removed this line from my /etc/nsswitch.conf:

initgroups = files

My secondary groups magically appeared when I typed ‘id’.

I think that I’m finally ready to get rid of SSSD

> On Jul 27, 2022, at 4:53 PM, Luc Lalonde via samba <samba at lists.samba.org> wrote:
> 
> Signed PGP part
> Yeah, I'm really stumped...
> 
> I've got the same version of Samba as you (4.15.6) on a Debian 11.
> 
> On 2022-07-27 16:24, Rowland Penny via samba wrote:
>> On Wed, 2022-07-27 at 16:05 -0400, Luc Lalonde via samba wrote:
>>> I corrected all the errors you mentionned in my config... Still a no
>>> go
>>> for secondary groups.
>>> 
>>> Other answers below:
>>> 
>>> On 2022-07-27 15:19, Rowland Penny via samba wrote:
>>>> Does 'Domain Users' have a gidNumber ?
>>> No, but I tried setting one... changes nothing (after restarting
>>> smbd,
>>> winbind, net cache flush)
>>>> Do all your users have a uidNumber & gidNumber ?
>>> Yes
>>>> Do all your groups have a gidNumber ?
>>> Yes
>>>> Are all these numbers inside the 1000-999999 range ?
>>> Yes
>> Strange, what version of Samba is this ?
>> 
>> I am using 4.15.7 with these lines in smb.conf:
>> 
>>   winbind expand groups = 2
>>   ....................
>>   idmap config * : backend = tdb
>>   idmap config * : range = 3000-7999
>>   idmap config SAMDOM : backend  = ad
>>   idmap config SAMDOM : schema_mode = rfc2307
>>   idmap config SAMDOM : unix_nss_info = yes
>>   idmap config SAMDOM : range = 10000-999999
>> 
>> and I get this:
>> 
>> rowland at devstation:~$ id
>> uid=10000(rowland) gid=10000(domain users) groups=10000(domain
>> users),102(netdev),1001(unixtest),2000(BUILTIN\administrators),2001(BUI
>> LTIN\users),10002(unixgroup),10004(testgroup),10010(group12),10011(prin
>> teradmin),10012(ridtest),10013(wingroup),10014(wingroup1),10015(nesttes
>> ta),10016(nesttestb),10017(grouptest2),10021(ftpgroup),10022(wingroup2)
>> ,10024(unix admins),10030(sam_shares),10032(sshgroup),10035(vpnusers)
>> 
>> The only real difference is that I do not use 'unix_primary_group =
>> yes'
>> 
>> As you can see, I get a lot of groups. I would double check everything.
>> 
>> Rowland
>> 
>> 
>> 
> --
> Luc Lalonde, analyste
> -----------------------------
> Département de génie informatique:
> École polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20220728/28cf22dc/signature.sig>

More information about the samba mailing list