[Samba] Group members via LDAP

Rowland Penny rpenny at samba.org
Thu Feb 9 08:16:59 UTC 2023 


On 08/02/2023 22:32, Troels Arvin via samba wrote:
> Hello,
> 
> Rowland Penny wrote:
>> Why was the primaryGroupID changed ?
> 
> That must be a consequence of the users not having "Domain Users" as 
> primary group.

I will ask that in another way, why is your users primary group not 
Domain Users ?

> 
> 
>> If you are running a Samba AD DC on Fedora using the Fedora Samba 
>> packages, then you are using MIT kerberos, which Samba has marked at 
>> experimental.
> 
> Ah, OK. This particular setup is not an important production 
> installation. It's a setup to learn what is likely to be possible in a 
> production setup in the future.

In which case, I suggest using Debian, that will get you Heimdal based 
Samba.

> 
> 
>>> The LDAP client is also Fedora 37, Samba client version also 4.17.5; 
>>> this host is joined to the Samba AD domain using "realm join ...".
>>
>> This is, in my opinion, the wrong way of joining, you should have used 
>> 'net ads join'.
> 
> I thought "realm" does more, when you want the Linux host to be well 
> integrated into the AD using SSSD. I could be wrong.

Yes, you are wrong, if you are using Samba, then I would suggest using 
the Freeipa tools is a bad idea.

> 
> 
>> Where are the shares ?
> 
> The DC server has no shares. There is another server in the setup which 
> exports directories in the form of NFS and SMB shares.

A DC always has two shares, sysvol and netlogon.

> 
> 
>> I will not comment until I know why you have removed everyone from 
>> Domain Users, there is probably a good idea why this was done, but I 
>> cannot think of one.
> 
> In the setup, there are some Linux hosts joined with the AD. On the 
> Linux host, it's nicer to have a simple, short, non-space-containing 
> group name as the primary group, I thought. But if it results in all 
> sorts of trouble, then I suppose it was a mistake.

I think I understand this now, you want to use AD, but in Linux terms 
i.e. make it work with Linux
I suggest you stand that on its head and make your Linux work with AD.


> 
> 
> As you may have seen in another mail in this thread, I've found a way to 
> get a complete member list, even though it requires me to iterate 
> through all groups explicitly asking for primaryGroupToken.

There are numerous ways of getting group members, it just depends on 
Samba and AD being used correctly.

Rowland

More information about the samba mailing list