samba - Oct 2016 - getent group [groupname] do not show users

On Wed, 5 Oct 2016 12:04:53 +0200
mathias dufresne via samba <samba at lists.samba.org> wrote:
> I just tested on some DC running also 4.4.5 and "getent group
> my_group" does not show groups content.
> 
> I read here
>
http://serverfault.com/questions/625416/samba-4-group-members-not-shown-in-getent-group
> a proposal to use samba-tool as a replacement but samba-tool is not
> available on member servers which make that workaround not usable in
> most cases...
> 
> 2016-10-05 11:40 GMT+02:00 mathias dufresne <infractory at
gmail.com>:
> 
> > Hi all,
> >
> > With Samba 4.4.5, on member servers (I did not tried yet on DCs),
> > using "getent group" with or without specifying a group name
groups
> > are shown but they are shown as empty groups, no user name is
> > displayed.
> >
> > Is there a way to make them displayed?
> >
> > Cheers,
> >
> > Mathias
> >
It has never worked on DC, but I use 4.4.4 on a domain member and if I
run 'getent group Domain\ Users' , I get all my users. 

You can use samba-tool on a domain member, you just need to point it at
a DC:

samba-tool group listmembers Domain\ Users -H ldap://dc1 -UAdministrator

Rowland

Hum, that's strange:

smbfs20:~# getent group Domain\ Users
domain users:x:3100035:

So no users displayed. smbfsXY are my test file servers, so members only.

Regarding usage of samba-tool on members for now it not possible as package
containing that tool is not installed on members. For now this stands as a
choice: samba-tool is very powerful and I'm not too fond to deploy on
machines which are not DC, where almost anyone can connect.

I expect a development choice for performance reasons to be the reason
"getent group [grpname]" does not show group's content. An option
to
activate or deactivate that behavior would have great!

Cheers

2016-10-05 12:22 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 5 Oct 2016 12:04:53 +0200
> mathias dufresne via samba <samba at lists.samba.org> wrote:
>
> > I just tested on some DC running also 4.4.5 and "getent group
> > my_group" does not show groups content.
> >
> > I read here
> > http://serverfault.com/questions/625416/samba-4-
> group-members-not-shown-in-getent-group
> > a proposal to use samba-tool as a replacement but samba-tool is not
> > available on member servers which make that workaround not usable in
> > most cases...
> >
> > 2016-10-05 11:40 GMT+02:00 mathias dufresne <infractory at
gmail.com>:
> >
> > > Hi all,
> > >
> > > With Samba 4.4.5, on member servers (I did not tried yet on DCs),
> > > using "getent group" with or without specifying a group
name groups
> > > are shown but they are shown as empty groups, no user name is
> > > displayed.
> > >
> > > Is there a way to make them displayed?
> > >
> > > Cheers,
> > >
> > > Mathias
> > >
>
> It has never worked on DC, but I use 4.4.4 on a domain member and if I
> run 'getent group Domain\ Users' , I get all my users.
>
> You can use samba-tool on a domain member, you just need to point it at
> a DC:
>
> samba-tool group listmembers Domain\ Users -H ldap://dc1 -UAdministrator
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

*"winbind expand groups" *was what I missed.
By default this option is set to 0 which means no users displayed in groups
(using getent)

Setting that option to 1 means "display users in groups but no
recursion"
Then 2 means 1 level of recursion in case of nested groups.

That option seems quite dangerous for performance when a lot of groups
exists, some are nested in others and you accept enumeration of groups
(using "getent groups" without specifying any group name).

2016-10-05 13:36 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> Hum, that's strange:
>
> smbfs20:~# getent group Domain\ Users
> domain users:x:3100035:
>
> So no users displayed. smbfsXY are my test file servers, so members only.
>
> Regarding usage of samba-tool on members for now it not possible as
> package containing that tool is not installed on members. For now this
> stands as a choice: samba-tool is very powerful and I'm not too fond to
> deploy on machines which are not DC, where almost anyone can connect.
>
> I expect a development choice for performance reasons to be the reason
> "getent group [grpname]" does not show group's content. An
option to
> activate or deactivate that behavior would have great!
>
> Cheers
>
> 2016-10-05 12:22 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>
> :
>
>> On Wed, 5 Oct 2016 12:04:53 +0200
>> mathias dufresne via samba <samba at lists.samba.org> wrote:
>>
>> > I just tested on some DC running also 4.4.5 and "getent group
>> > my_group" does not show groups content.
>> >
>> > I read here
>> > http://serverfault.com/questions/625416/samba-4-group-
>> members-not-shown-in-getent-group
>> > a proposal to use samba-tool as a replacement but samba-tool is
not
>> > available on member servers which make that workaround not usable
in
>> > most cases...
>> >
>> > 2016-10-05 11:40 GMT+02:00 mathias dufresne <infractory at
gmail.com>:
>> >
>> > > Hi all,
>> > >
>> > > With Samba 4.4.5, on member servers (I did not tried yet on
DCs),
>> > > using "getent group" with or without specifying a
group name groups
>> > > are shown but they are shown as empty groups, no user name is
>> > > displayed.
>> > >
>> > > Is there a way to make them displayed?
>> > >
>> > > Cheers,
>> > >
>> > > Mathias
>> > >
>>
>> It has never worked on DC, but I use 4.4.4 on a domain member and if I
>> run 'getent group Domain\ Users' , I get all my users.
>>
>> You can use samba-tool on a domain member, you just need to point it at
>> a DC:
>>
>> samba-tool group listmembers Domain\ Users -H ldap://dc1
-UAdministrator
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>