[Samba] differences between 'getent group GROUP1' and 'sudo samba-tool group listmembers GROUP1'
Rowland Penny
rpenny at samba.org
Mon Jan 20 21:16:54 UTC 2025
On Mon, 20 Jan 2025 21:56:17 +0100
PaLi via samba <samba at lists.samba.org> wrote:
> Hello
>
> I'm confused. On new installation of Samba 4 domain I have some
> configuration problem.
>
> samba release: Version 4.19.5-Ubuntu
>
> * example for user "pali"
>
> * returns members of this group
> $ sudo samba-tool group listmembers GROUP1
> ...
> pali
> ...
>
> * no users in group
> -- returns correct info (name, gid) except group members - it is empty
> $ getent group GROUP1
> -- EMPTY --
>
> * but "groups" shows all groups
> $ groups pali
> ... GROUP1 ...
>
> How it could be possible?
> Where could I search for configuration mistake?
>
> /etc/samba/smb.conf:
>
> [global]
> bind interfaces only = Yes
> dns forwarder = 8.8.8.8
> interfaces = lo enp1s0
> netbios name = DC11
> realm = OFFICE.SOMEDOMAIN.COM
> server role = active directory domain controller
> workgroup = OFFICE
> idmap_ldb:use rfc2307 = yes
> winbind enum groups = Yes
> winbind enum users = Yes
I would remove those 'enum' lines, you do not need them
> winbind use default domain = yes
You might as well remove that line. it does nothing on a DC
> # glob_winbind: - - - - - - - end
> # glob_template: - - - - - - begin
> template shell = /bin/bash
> template homedir = /home/%D/%U
The template homedir is the default
> # glob_template: - - - - - - - end
> # glob_acl: - - - - - - begin
> vfs objects = acl_xattr
OH DEAR, you MUST remove that line, it as turned off one of the DCs
default vfs objects
> map acl inherit = yes
> store dos attributes = yes
You should remove those lines, they shouldn't be in a DCs smb.conf
Rowland
More information about the samba
mailing list