samba - Apr 2016 - chgrp "Domain Admins" on folder return invalid group "Domain Admins"

Hi Denis,

Thank you for your mail.

I assigned the GID 10000 to the domain admins group through ADUC, and
wbinfo --info-group "domain admins" display the correct output.

But i am still not able to execute succesfuly #chgrp "Domain Admins"
/home/demo

And when i go to ADUC and try to open  the Unix Attribute of domain admins
group, i have the error "Unable to execute". But ADUC still display
the
contain of the tab with the correct NIS domain and the GID.

Is it normal ?

Thank you for helping.

Regards

On Tue, Apr 5, 2016 at 7:58 AM, Denis Cardon <
denis.cardon at tranquil-it-systems.fr> wrote:
> Hi Jules,
>
> I am trying to deploy Samba4 as a domain controller and a file server and
>> having some issues.*
>>
>> The domain have been well provisioned with option --use-rfc2307
>>
>> I am then trying to create share by following this samba wiki
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>>
>> The problem is that i cannot succeed to change the group owner of the
>> folder I want to share as recommended  with the following command
>>
>> chgrp "Domain Admins" /home/demo
>>
>> When I try the chgrp command I receive and error  : invalid group
"Domain
>> Admins'.
>>
>> I then read the article that explain the subject about setting up
rfc2307
>> in AD
>>
>
> when using rfc2307, you have to define a uid or gid for all the users and
> groups that you plan to use on your fileserver. By default "domain
admins"
> group has no gid, only a SID. So you have to set it up. If there is no gid,
> you can still see it with wbinfo -g, but you won't see it using getent
> group <groupname>.
>
> HTH,
>
> Denis
>
>
>>
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#NIS_Extensions_installed_inside_the_directory
>>
>> and can confirm that  the "ypServ30" container exists.
>>
>> I wonder what is happening and if anyone could help me.
>> Thank you for reading and helping
>> Regards
>>
>>
>> Jules HOUANTONON
>> *Phone* : (00229) 97578914
>> *Email *: juleshoueto at gmail.com
>> *Skype* : houantonon
>> *linkedin* : www.linkedin.com/in/jhouantonon/en
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>

-- 
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: juleshoueto at gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en

On 05/04/16 11:06, Jules Houantonon wrote:
> Hi Denis,
>
> Thank you for your mail.
>
> I assigned the GID 10000 to the domain admins group through ADUC, and
> wbinfo --info-group "domain admins" display the correct output.
You need to ensure that 'getent group Domain\ Admins' displays the 
required info, on one of my DCs:

root at dc1:~# getent group Domain\ Admins
SAMDOM\domain admins:x:10001:

What I think you are missing, are the libnss links, see here for info:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind

I know the page refers to a domain member, but it is the same basic 
setup on a DC.

You may also want to consider giving 'Domain Users' a gidNumber

Rowland
>
> But i am still not able to execute succesfuly #chgrp "Domain
Admins"
> /home/demo
>
> And when i go to ADUC and try to open  the Unix Attribute of domain admins
> group, i have the error "Unable to execute". But ADUC still
display the
> contain of the tab with the correct NIS domain and the GID.
>
> Is it normal ?
>
> Thank you for helping.
>
> Regards
>
>

Dear all,

thank you for your previous mails. It realy help me.

Denis, Following your mail and thanks to  the link  i configure my
/etc/nsswitch.conf file  by adding windbind to user and group line and
execute winbindd command.

As i install samba4 from sernet package, init script are created for
starting AD, smbd, nmbd and winbindd. But i read that smbd, nmd and
winbindd should be disable to start samba4 in AD mode. There were even a
Warning that were generated if windbindd service were kept started. So I do
not touch them, as they are disabled.

But after making nsswitch.conf changes, I am able to execute chgrp "domain
admins" /home/demo succesfully and ls -l /home display the permission with
the suitable group.

wbinfo -u also return the users created from AD as wbinfo -g also display
AD domaine groups.

I supposethat things are OK now.

But when i try the getent passwd
I do not have domain user display. Only local users account appear.

I wonder if it is normal.

Thank you for helping again and for your time.

Regards





chgrp



On Tue, Apr 5, 2016 at 11:30 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 05/04/16 11:06, Jules Houantonon wrote:
>
>> Hi Denis,
>>
>> Thank you for your mail.
>>
>> I assigned the GID 10000 to the domain admins group through ADUC, and
>> wbinfo --info-group "domain admins" display the correct
output.
>>
>
> You need to ensure that 'getent group Domain\ Admins' displays the
> required info, on one of my DCs:
>
> root at dc1:~# getent group Domain\ Admins
> SAMDOM\domain admins:x:10001:
>
> What I think you are missing, are the libnss links, see here for info:
>
>
>
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind
>
> I know the page refers to a domain member, but it is the same basic setup
> on a DC.
>
> You may also want to consider giving 'Domain Users' a gidNumber
>
> Rowland
>
>
>> But i am still not able to execute succesfuly #chgrp "Domain
Admins"
>> /home/demo
>>
>> And when i go to ADUC and try to open  the Unix Attribute of domain
admins
>> group, i have the error "Unable to execute". But ADUC still
display the
>> contain of the tab with the correct NIS domain and the GID.
>>
>> Is it normal ?
>>
>> Thank you for helping.
>>
>> Regards
>>
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: juleshoueto at gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en