[Samba] Reported group membership is different between domain member and Samba ADC
John R. Graham
john at graham-family.org
Sat Feb 15 13:37:38 UTC 2025
On 2/14/25 15:01, Rowland Penny via samba wrote:
> On Fri, 14 Feb 2025 12:14:18 -0500
> "John R. Graham via samba"<samba at lists.samba.org> wrote:
> On 2/14/25 11:22, Rowland Penny via samba wrote:
>> So, for an undiagnosed reason, the effective domain membership does
>> not include "domain admins" either.
>>
>> - John
> OK, I will diagnose it ;-)
>
> open a terminal on the DC, enter 'man smb.conf', press enter and then
> go to 'winbind expand groups', read that, it will explain why you are
> not getting any group members.
>
> Rowland
Ah. Thank you! On my domain controller "getent" now behaves as you
predicted:
dc1 ~ # getent group 'SAMDOM\domain admins'
SAMDOM\domain admins:x:3000000:SAMDOM\administrator,SAMDOM\jgraham
dc1 ~ # getent group SAMDOM\\wheel
SAMDOM\wheel:x:11120:SAMDOM\jgraham
and "su -" now works but "sudo su -" is still broken on my domain
controller; both work on my domain members. Interestingly, "id" still
doesn't report correct group membership on the DC but does on domain
members. I'll look into what's different at the API level and report back.
- John
More information about the samba
mailing list