[Samba] differences between 'getent group GROUP1' and 'sudo samba-tool group listmembers GROUP1'

Rowland Penny rpenny at samba.org
Tue Jan 21 21:14:59 UTC 2025 

On Tue, 21 Jan 2025 21:49:11 +0100
PaLi via samba <samba at lists.samba.org> wrote:

> On Tue, 2025-01-21 at 20:20 +0000, Rowland Penny via samba wrote:
> > On Tue, 21 Jan 2025 21:10:31 +0100
> > PaLi via samba <samba at lists.samba.org> wrote:
> > 
> > > Hello
> > > 
> > > Thank for suggestion to config fixes. Back to my original
> > > question.
> > > 
> > > Is it possible make
> > > 
> > > getent group
> > > 
> > > working on Samba 4 DC
> > 
> > Yes, but why ?
> > It isn't required for Samba to work, use 'getent group GROUPNAME'
> > instead.
> I don't know if my question was clear enough. 
> Real example could be better explanation.
> 
> 
> real OUTPUT of samba-tool
> ---
> $ sudo samba-tool group listmembers 'domain users'
> dns-dc21
> Administrator
> pali
> luno
> peli
> misi
> krbtgt
> dhcpduser
> masi
> dns-DC22
> 
> 
> real OUTPUT of getent group
> ---
> $ sudo getent group 'domain users'
> OFFICE\domain users:x:2000:
> 
> 
> My problem is that both tools return different result. 
> (getent group -- shows no members)
> 
> Do you aggree that it is not correct behaviour?

That is the correct behavior, 'getent group' shouldn't show any results
because you haven't specified a group, but 'getent group GROUPNAME'
should display results.

> 
> 
> Other example -- real situation
> 
> I will log to DC (or other linux machine joined to Samba 4) through
> ssh (terminal session) as non privileged user. I want to get list of
> members for group 'Domain Users'. How can I do it without 
> getent group working?

But 'getent' is working, it is just that you do not seem to want the
result that it displays, for instance, 'getent group Domain\ Users'
will display something like 'SAMDOM\domain users:x:10000:' and you want
the output of 'samba-tool group listmembers Domain\ Admins', though I
have no idea why you want to do this, AD knows who your group members
are. If you really must know the group members, use sudo.

Rowland

More information about the samba mailing list