Hello, I can't seem to get a user's secondary groups to show up... Here are the pertinent lines in my configuration: ### /etc/nsswitch.conf ### passwd:???? files winbind shadow:???? files group:????? files winbind initgroups: files hosts:????? files dns #################### ### /etc/samba/smb.conf ### ?? idmap config *:backend = tdb ?? idmap config *:range = 200-999 ?? idmap config EXAMPLE:backend = ad ?? idmap config EXAMPLE:schema_mode = rfc2307 ?? idmap config EXAMPLE:range = 1000-999999 ?? idmap config EXAMPLE : read only = yes ?? idmap config EXAMPLE : unix_nss_info = yes ?? idmap config EXAMPLE : unix_primary_group = yes ?? winbind nss info = rfc2307 ?? winbind use default domain = yes ?? winbind expand groups = 3 ?? winbind refresh tickets = Yes ?? winbind enum groups = Yes ?? winbind enum users = Yes ##################### Here's what I get: [llalonde at moe5 ~]$ id uid=12690(llalonde) gid=7006(foo) groups=7006(foo) [llalonde at moe5 ~]$ getent group admingroup admingroup:x:8000:llalonde,sccmadmin On another Linux client using SSSD, here's what I get: uid=12690(llalonde) gid=7006(foo) groups=7006(foo),8000(admingroup) What am I missing?? I think that this is the last missing detail before I drop SSSD. -- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca ----------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220727/eb24e611/OpenPGP_signature.sig>
On Wed, 2022-07-27 at 14:58 -0400, Luc Lalonde via samba wrote:> Hello, > > I can't seem to get a user's secondary groups to show up... > > Here are the pertinent lines in my configuration: > > ### /etc/nsswitch.conf ### > > passwd: files winbind > shadow: files > group: files winbind > initgroups: files > hosts: files dns > #################### > > ### /etc/samba/smb.conf ### > > idmap config *:backend = tdb > idmap config *:range = 200-999 > idmap config EXAMPLE:backend = ad > idmap config EXAMPLE:schema_mode = rfc2307 > idmap config EXAMPLE:range = 1000-999999 > idmap config EXAMPLE : read only = yesWhere did you get that line from ? I do not recognise it in relation to the 'ad idmap backend.> idmap config EXAMPLE : unix_nss_info = yes > idmap config EXAMPLE : unix_primary_group = yes > winbind nss info = rfc2307You do not use that with the 'ad' idmap backend, it is set in the 'idmap config' lines.> winbind use default domain = yes > winbind expand groups = 3Try a different number, I use '2' and it works for myself.> winbind refresh tickets = Yes > winbind enum groups = Yes > winbind enum users = YesYou do not need those 'enum' lines, it will work without them.> > ##################### > > Here's what I get: > > [llalonde at moe5 ~]$ id > uid=12690(llalonde) gid=7006(foo) groups=7006(foo) > [llalonde at moe5 ~]$ getent group admingroup > admingroup:x:8000:llalonde,sccmadmin > > On another Linux client using SSSD, here's what I get: > > uid=12690(llalonde) gid=7006(foo) groups=7006(foo),8000(admingroup) > > What am I missing? I think that this is the last missing detail > before > I drop SSSD.Does 'Domain Users' have a gidNumber ? Do all your users have a uidNumber & gidNumber ? Do all your groups have a gidNumber ? Are all these numbers inside the 1000-999999 range ? Rowland
On 7/27/22 20:58, Luc Lalonde via samba wrote:> I can't seem to get a user's secondary groups to show up...Samba learns the groups when a user authenticates (simplified version). Have you authenticated your test user before? -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220727/078dc20c/OpenPGP_signature.sig>