Hi, Ive been trying to work out how to get wbinfo to list members of a specific AD group, rather than list groups a specific user is in. So far I have had no luck... In fact im not sure its possible with wbinfo. Is there another tool which could do this? James -- Sent using Dekko from my Ubuntu device
On Mon, 30 Oct 2017 10:34:06 +0000 "A. James Lewis via samba" <samba at lists.samba.org> wrote:> Hi, > > Ive been trying to work out how to get wbinfo to list members of a > specific AD group, rather than list groups a specific user is in. > > So far I have had no luck... In fact im not sure its possible with > wbinfo. Is there another tool which could do this? > > James > >samba-tool group listmembers <groupname> Rowland
I did come up with that option from Google, but wondered if it was only suitable if Samba was the AD controller, since that was always the context it was used in. This is the result I get. root at hostname:~# samba-tool group listmembers groupname ERROR(ldb): Failed to list members of "groupname" group - ldb_search: invalid basedn '(null)' root at hostname:~# Samba 4.6.7, smb.conf looks like this:- [global] workgroup = DOMAIN security = ADS realm = DOMAIN.LOCAL idmap config *:backend = tdb idmap config *:range = 95000-99999 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 100000-999999 winbind trusted domains only = no winbind use default domain = yes winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U Should I be passing it a basedn either in the command, or in the config somewhere? James October 30, 2017 10:49 AM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 30 Oct 2017 10:34:06 +0000 > "A. James Lewis via samba" <samba at lists.samba.org> wrote: > >> Hi, >> >> Ive been trying to work out how to get wbinfo to list members of a >> specific AD group, rather than list groups a specific user is in. >> >> So far I have had no luck... In fact im not sure its possible with >> wbinfo. Is there another tool which could do this? >> >> James > > samba-tool group listmembers <groupname> > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
On Mon, 30 Oct 2017 12:07:24 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> I did come up with that option from Google, but wondered if it was > only suitable if Samba was the AD controller, since that was always > the context it was used in. > > This is the result I get. > > root at hostname:~# samba-tool group listmembers groupname > ERROR(ldb): Failed to list members of "groupname" group - > ldb_search: invalid basedn '(null)' root at hostname:~#Try something like this: root at devstation:~# samba-tool group listmembers Unix\ Admins -H ldap://dc3 -d0 rowland
It appears to hang for a very long time (up to 15 minutes) on "kinit for HOSTNAME$@DOMAIN.LOCAL succeeded" then it returns nothing. I'm somewhat confused! James October 30, 2017 12:27 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 30 Oct 2017 12:07:24 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> I did come up with that option from Google, but wondered if it was >> only suitable if Samba was the AD controller, since that was always >> the context it was used in. >> >> This is the result I get. >> >> root at hostname:~# samba-tool group listmembers groupname >> ERROR(ldb): Failed to list members of "groupname" group - >> ldb_search: invalid basedn '(null)' root at hostname:~# > > Try something like this: > > root at devstation:~# samba-tool group listmembers Unix\ Admins -H ldap://dc3 -d0 > rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Oh, I assumed you meant -d10, since -d0 turns off all debug output, so the output is long, but I get:- . . . GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Timed out smb_krb5 packet Timed out smb_krb5 packet Received smb_krb5 packet of length 234 Timed out smb_krb5 packet Timed out smb_krb5 packet Received smb_krb5 packet of length 108 kinit for HOSTNAME$@DOMAIN.LOCAL succeeded gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically signed $ October 30, 2017 2:10 PM, "A. James Lewis via samba" <samba at lists.samba.org> wrote:> It appears to hang for a very long time (up to 15 minutes) on "kinit for HOSTNAME$@DOMAIN.LOCAL > succeeded" > then it returns nothing. > > I'm somewhat confused! > > James > > October 30, 2017 12:27 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote: > >> On Mon, 30 Oct 2017 12:07:24 +0000 >> "A. James Lewis" <james at fsck.co.uk> wrote: >> >>> I did come up with that option from Google, but wondered if it was >>> only suitable if Samba was the AD controller, since that was always >>> the context it was used in. >>> >>> This is the result I get. >>> >>> root at hostname:~# samba-tool group listmembers groupname >>> ERROR(ldb): Failed to list members of "groupname" group - >>> ldb_search: invalid basedn '(null)' root at hostname:~# >> >> Try something like this: >> >> root at devstation:~# samba-tool group listmembers Unix\ Admins -H ldap://dc3 -d0 >> rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > -- > A. James Lewis (james at fsck.co.uk) > "Engineering does not require science. Science helps a lot but people > built perfectly good brick walls long before they knew why cement works." > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."