[Samba] Group members via LDAP
Troels Arvin
troels at arvin.dk
Wed Feb 8 20:46:26 UTC 2023
Hello,
Rowland Penny wrote:
>> Anyway, when searching with ldbsearch, it also leaves out a group
>> member, if the member has the group as the primary group.
>
> If by 'primary group' you mean the users primaryGroupID attribute has
> been changed from '513', then this is to be expected. Every user is
> usually a member of Domain Users, but that group doesn't have any
> 'member' attributes. (and the users do not have a memberof attribute).
The users indeed don't have 513 as primaryGroupID.
Maybe I need to iterate over all users and collect a set of
primaryGroupID values and then somehow look those up as groups; however,
there doesn't seem to be a group attribute mathing values I see for
primaryGroupID.
> What OS ?
> What Samba version ?
> The output of 'samba-tool testparm'
The Samba server runs Fedora Linux 37, Samba version 4.17.5.
The LDAP client is also Fedora 37, Samba client version also 4.17.5;
this host is joined to the Samba AD domain using "realm join ...".
Output from "samba-tool testparm" on the server:
============================================================
me at dc1 ~]$ samba-tool testparm
INFO 2023-02-08 21:08:55,860 pid:904
/usr/lib64/python3.11/site-packages/samba/netcmd/testparm.py #96: Loaded
smb config files from /etc/samba/smb.conf
INFO 2023-02-08 21:08:55,860 pid:904
/usr/lib64/python3.11/site-packages/samba/netcmd/testparm.py #97: Loaded
services file OK.
Press enter to see a dump of your service definitions
# Global parameters
[global]
disable netbios = Yes
dns forwarder = 1.1.1.1 2.2.2.2 1111:2222:0:1::3 3333:4444:0:1::5
netbios name = DC1
realm = MYDOM.ORG
server role = active directory domain controller
workgroup = MYDOM
============================================================
Interestingly, "getent group mygroup" gives me the output I had
expected, i.e. it returns me a list of all members, including users who
have mygroup as primary group. I have, however, not yet managed to find
which code does which LDAP lookup(s) to find the information.
--
Troels
More information about the samba
mailing list