Hi Rowland, The group was in /etc/group and LDAP. Post the AD migration, the group didn’t show up in AD. We then added the group in AD, will check if it has a gid number. If AD doesn’t have gid, can I remove the group /etc/group and assign it the same gid in AD? The group in question was one of many which had the same issue, hence the question about importing missed groups in AD Regards, Praveen Ghimire -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Friday, 13 April 2018 9:24 PM To: samba at lists.samba.org Subject: Re: [Samba] Issues post AD migration On Fri, 13 Apr 2018 09:56:34 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > The issue seems to be due to the groups who decided not to show up in > AD. Strangely, even when we added the group with the same name in the > AD, it didn't resolv the issue. Even though smb.conf dictates that > the user have to a member of a group with that name. Using getent > group, we can see the group. Does Samba hold on to the SID of the > group somehow? > > Is there a way to get those lost groups in AD;)Not sure I fully understand what you are saying here, Are you saying that you have a group in /etc/group but not in AD and you have now added this group to AD ? If so, delete the group in /etc/group and ensure the group in AD has a gidNumber. You will probably have to run 'net cache flush' after making the changes. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On Fri, 13 Apr 2018 11:50:55 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > The group was in /etc/group and LDAP. Post the AD migration, the > group didn’t show up in AD. We then added the group in AD, will check > if it has a gid number. If AD doesn’t have gid, can I remove the > group /etc/group and assign it the same gid in AD? > > The group in question was one of many which had the same issue, hence > the question about importing missed groups in AD >First things first, you cannot have users or groups in /etc/passwd or /etc/group and in AD. To be an AD user or group, they must exist only in AD. If you have groups in /etc/group that didn't make it to your AD, then this probably because they were mapped to other domain groups. If you need these groups in AD, then you will have to create them in AD manually, but you will very probaly have to remove them from /etc/group first. You can use the gidNumber from /etc/group when creating the group in AD. As far as Samba AD is concerned, you only need uidNumber & gidNumber attributes if anything is stored on a Unix machine, windows will ignore them. Rowland
On Fri, Apr 13, 2018 at 8:26 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Fri, 13 Apr 2018 11:50:55 +0000 > Praveen Ghimire <PGhimire at sundata.com.au> wrote: > >> Hi Rowland, >> >> The group was in /etc/group and LDAP. Post the AD migration, the >> group didn’t show up in AD. We then added the group in AD, will check >> if it has a gid number. If AD doesn’t have gid, can I remove the >> group /etc/group and assign it the same gid in AD? >> >> The group in question was one of many which had the same issue, hence >> the question about importing missed groups in AD >> > > First things first, you cannot have users or groups in /etc/passwd > or /etc/group and in AD. To be an AD user or group, they must exist > only in AD.Well, you *can* have local groups and users that are also in AD. they're resolved on Linux systems and in CygWin in the order specified in /etc/nsswitch.conf. It's precisely how you can list a local user, with a different local password, to provide shell access and especially sudo access if the Samba or AD server goes toes up. They can also be the source of endless confusion if they don't match uid, gid, group members, home directory, etc., etc., etc. But they can cause endless confusion, especially if they are inconsistent. It's generally safest to list them strictly in AD.