Dear All, I've found a strange behavior on Winbind + getent group If there are AD/winbind group didn't have any unix gid... getent group will only show local group. If all the AD/winbind group have unix gid getent will reply with all the group I have included the AD/winbind group. Did we have any bugs reported on this? Thank You.
Hai Chan, Same here. ( sernet samba 4.1.9 on debian wheezy ) ( member server ) I have only 1 group with GID ( Domain Users ) and 4 users with UID. both wbinfo -u and wbinfo -g show all users/groups getent passwd shows my 4 users. getent group only shows my local groups. but getent group "Domain Users" does show my GID on this group. Is this what you mean? This is as long is i know, but correct me if im wrong. on the DC, If i enable winbind in /etc/nsswitch.conf ( dont use that by default ) i get on wbinfo -u and -g all users/groups and same for getent passwd and getent group all my users and groups. but this is because of the differences in winbind on DC and member server winbind. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: dcmwai at gmail.com [mailto:samba-bounces at lists.samba.org] >Namens Chan Min Wai >Verzonden: donderdag 10 juli 2014 7:26 >Aan: samba at lists.samba.org >Onderwerp: [Samba] Possible winbind bugs. > >Dear All, > >I've found a strange behavior on Winbind + getent group > >If there are AD/winbind group didn't have any unix gid... >getent group will only show local group. > > >If all the AD/winbind group have unix gid >getent will reply with all the group I have included the >AD/winbind group. > >Did we have any bugs reported on this? > >Thank You. >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:> Dear All, > > I've found a strange behavior on Winbind + getent group > > If there are AD/winbind group didn't have any unix gid... > getent group will only show local group. > > > If all the AD/winbind group have unix gid > getent will reply with all the group I have included the AD/winbind group. > > Did we have any bugs reported on this? > > Thank You.Hi Chan Lots of confusion here. I don't think it's a bug because it would be reasonable to expect that if we wish domain groups to behave as posix groups, then we must play by posix rules and include a gid. Otherwise nss knows nothing about them. As we understand, must haves: Domain groups: gidNumber Domain users: uidNumber and gidNumber The latter must be the gidNumber corresponding to the primaryGroupID for the user. As the default group for all new users is Domain Users, then make sure a miniumum of that group has a gidNumber. Test: id user getent group <domain group> getent passwd user groups user If ANY of those fail to return they will not behave correctly. HTH Steve