samba - Oct 2013 - enumerating group members with nss_winbind (4.0.9 as AD DC)

When I do "getent group", I want to see the group's members
enumerated.
With nss_ldap they are; with nss_winbind they aren't:

    root at gumbo:~# getent group mgmt
    PI\mgmt:*:1040:

There *are* members there (partially redacted):

    root at gumbo:~# ldbsearch -Htdb:///var/lib/samba/private/sam.ldb cn=mgmt
member
    # record 1
    dn: CN=mgmt,CN=Users,REDACTED
    member: CN=alice,CN=Users,REDACTED
    member: CN=bob,CN=Users,REDACTED
    member: CN=clara,CN=Users,REDACTED
    [...]

Those members are users, not groups, by the way.

I had a look at the manpages, and so far these guesses aren't helping.
I also tried increasing the "winbind expand groups = 4".

    winbind enum groups     = yes
    winbind enum users      = yes
    winbind expand groups   = 1

    # Automatically added during provisioning;
    # I don't know what it does.
    idmap_ldb:use rfc2307 = yes

The main reason I want this, is so I can confirm that what libc sees on
the new samba4 host matches what libc sees on the old samba3 host.
Apart from anything else, new users & groups have been created since I
did a "domain classicupgrade", and I intend to just use samba-tool to
manually add them to the new host.

Plan B is to use "samba-tool group listmembers" &c to check
what's on
the new host, but I've had some troubles with nss_winbind not showing
some users and groups that samba-tool can see, so I'm leery of that.

On Tue, Oct 29, 2013 at 03:44:40PM +1100, Trent W. Buck
wrote:
> When I do "getent group", I want to see the group's members
enumerated.
> With nss_ldap they are; with nss_winbind they aren't:
What is the exact Samba domain member version you are using?

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

On Tue, 2013-10-29 at 15:44 +1100, Trent W. Buck wrote:
> When I do "getent group", I want to see the group's members
enumerated.
> With nss_ldap they are; with nss_winbind they aren't:
> 
>     root at gumbo:~# getent group mgmt
>     PI\mgmt:*:1040:
> 
> There *are* members there (partially redacted):
> 
>     root at gumbo:~# ldbsearch -Htdb:///var/lib/samba/private/sam.ldb
cn=mgmt member
>     # record 1
>     dn: CN=mgmt,CN=Users,REDACTED
>     member: CN=alice,CN=Users,REDACTED
>     member: CN=bob,CN=Users,REDACTED
>     member: CN=clara,CN=Users,REDACTED
>     [...]
> 
> Those members are users, not groups, by the way.
> 
> I had a look at the manpages, and so far these guesses aren't helping.
> I also tried increasing the "winbind expand groups = 4".
> 
>     winbind enum groups     = yes
>     winbind enum users      = yes
>     winbind expand groups   = 1
> 
>     # Automatically added during provisioning;
>     # I don't know what it does.
>     idmap_ldb:use rfc2307 = yes
It tells nss to look in ad for uidNumber and gidNumber.
> 
> The main reason I want this, is so I can confirm that what libc sees on
> the new samba4 host matches what libc sees on the old samba3 host.
> Apart from anything else, new users & groups have been created since I
> did a "domain classicupgrade", and I intend to just use
samba-tool to
> manually add them to the new host.
Your classicupgrade users will have the necessary attributes. You will
need to add them yourself for new users. Is it possible to upgrade to
4.1? There, samba-tool can be used to add rfc2307 upon creating a new
user.
> 
> Plan B is to use "samba-tool group listmembers" &c to check
what's on
> the new host, but I've had some troubles with nss_winbind not showing
> some users and groups that samba-tool can see, so I'm leery of that.
> 
Do I understand that this is all on a 4.0.9 DC? If so, the easiest way
to get getent group to list group members is to use nslcd or sssd. I
don't think winbind does it.
HTH
Steve

On 29/10/13 04:44, Trent W. Buck wrote:
> When I do "getent group", I want to see the group's members
enumerated.
> With nss_ldap they are; with nss_winbind they aren't:
>
>      root at gumbo:~# getent group mgmt
>      PI\mgmt:*:1040:
>
> There *are* members there (partially redacted):
>
>      root at gumbo:~# ldbsearch -Htdb:///var/lib/samba/private/sam.ldb
cn=mgmt member
>      # record 1
>      dn: CN=mgmt,CN=Users,REDACTED
>      member: CN=alice,CN=Users,REDACTED
>      member: CN=bob,CN=Users,REDACTED
>      member: CN=clara,CN=Users,REDACTED
>      [...]
>
> Those members are users, not groups, by the way.
>
> I had a look at the manpages, and so far these guesses aren't helping.
> I also tried increasing the "winbind expand groups = 4".
>
>      winbind enum groups     = yes
>      winbind enum users      = yes
>      winbind expand groups   = 1
>
>      # Automatically added during provisioning;
>      # I don't know what it does.
>      idmap_ldb:use rfc2307 = yes
>
> The main reason I want this, is so I can confirm that what libc sees on
> the new samba4 host matches what libc sees on the old samba3 host.
> Apart from anything else, new users & groups have been created since I
> did a "domain classicupgrade", and I intend to just use
samba-tool to
> manually add them to the new host.
>
> Plan B is to use "samba-tool group listmembers" &c to check
what's on
> the new host, but I've had some troubles with nss_winbind not showing
> some users and groups that samba-tool can see, so I'm leery of that.
>
I think that you have fallen into the 'S4 winbind != S3 winbind' trap, 
it would seem that S4 winbind only knows about usernames, groupnames and 
xidNumbers(uidNumbers & gidNumbers if present), the users homedirectory 
& login shell are hardcoded, but the shell can be overridden.

If I run 'getent group' on my S4 server, I get:

root:x:0:
..........
HOME\Enterprise Read-Only Domain Controllers:*:3000019:
HOME\Domain Admins:*:27:
HOME\Domain Users:*:100:
HOME\Domain Guests:*:65534:
HOME\Domain Computers:*:3000018:
HOME\Domain Controllers:*:3000020:
HOME\Schema Admins:*:3000007:
HOME\Enterprise Admins:*:3000006:
HOME\Group Policy Creator Owners:*:3000004:
HOME\Read-Only Domain Controllers:*:3000021:
HOME\DnsUpdateProxy:*:3000022:
HOME\adminusers:*:10000:

And if I run your (slightly modified) command line:
samba-tool group list | while read x; do getent group HOME\\"$x" 
 >/dev/null || echo MISSING: $x; done

MISSING: Allowed RODC Password Replication Group
MISSING: Denied RODC Password Replication Group
MISSING: Pre-Windows 2000 Compatible Access
MISSING: Windows Authorization Access Group
MISSING: Certificate Service DCOM Access
MISSING: Network Configuration Operators
MISSING: Terminal Server License Servers
MISSING: Incoming Forest Trust Builders
MISSING: Performance Monitor Users
MISSING: Cryptographic Operators
MISSING: Distributed COM Users
MISSING: Performance Log Users
MISSING: Remote Desktop Users
MISSING: Account Operators
MISSING: Event Log Readers
MISSING: RAS and IAS Servers
MISSING: Backup Operators
MISSING: Server Operators
MISSING: Print Operators
MISSING: Administrators
MISSING: Cert Publishers
MISSING: Replicator
MISSING: IIS_IUSRS
MISSING: DnsAdmins
MISSING: Guests
MISSING: Users

You will notice that the top list is missing from the bottom list.

So, as Steve has said, if you want to get the job done, do not use 
winbind, use anything else, but preferably sssd.

If you must use nss_ldapd, just remember that you are now pointing it an 
Active Directory not Openldap and the connection lines are different.

Rowland