samba - May 2020 - default backend = rid not showing full group information for users

Hello everybody,

I am trying to use the backend = rid but it is not showing me group 
information of the users after adding the user to the domain groups...

What should I do to have the full group info for the users available?

https://wiki.samba.org/index.php/Idmap_config_rid
# All domain's user accounts and groups are automatically available on 
the domain member.

root at s4ad01:~# samba-tool group listmembers "office"
ldb_wrap open of secrets.ldb
lgaga
jdoe

root at samba01:~# wbinfo --group-info=office
office:x:11106:jdoe,lgaga

oot at samba01:~# id jdoe
uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
users),11157(jdoe),3001(BUILTIN\users)

root at samba01:~# id lgaga
uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
users),11155(lgaga),3001(BUILTIN\users)


root at samba01:~# cat /etc/samba/smb.conf
[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.POWERCRAFT.NL

    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind use default domain = yes

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    username map = /usr/local/samba/etc/user.map

    log file = /var/log/samba/%m.log
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config SAMDOM:backend = rid
#  idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-999999
#  idmap config SAMDOM:unix_nss_info = yes

    template shell = /bin/bash
    template homedir = /home/%U

#  idmap config SAMDOM:unix_primary_group = yes

    winbind enum users = yes
    winbind enum groups = yes
#  winbind expand groups = 1

> I am trying to use the backend = rid but it is not showing me group 
> information of the users after adding the user to the domain groups...
> root at samba01:~# id jdoe
> root at samba01:~# id lgaga
What are your entries for 'passwd' and 'group' in
'/etc/nsswitch.conf'? I
suppose winbind should be there. In my case:

passwd:     files winbind
group:      files winbind

On 2020-05-01 02:12, miguel medalha wrote:
>> I am trying to use the backend = rid but it is not showing me group
>> information of the users after adding the user to the domain groups...
> 
>> root at samba01:~# id jdoe
>> root at samba01:~# id lgaga
> 
> What are your entries for 'passwd' and 'group' in
'/etc/nsswitch.conf'? I
> suppose winbind should be there. In my case:
> 
> passwd:     files winbind
> group:      files winbind
root at samba01:~# cat /etc/nsswitch.conf  | grep winbind
passwd:         files winbind
group:          files winbind

Am I wrong to expect that id user and getent group should list me the 
groups the user is part of.

For example wbinfo --group-info=office shows me that user jdoe and lgaga 
are part of the group, but then when doing id jdoe or id lgaga the 
office group is not shown, neither in getent group.

What should I change in my config to have full group information working?

root at samba01:~# wbinfo --group-info=development
development:x:11111:jdoe

root at samba01:~# wbinfo --group-info=office
office:x:11106:lgaga,jdoe

root at samba01:~# getent passwd lgaga
lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash

root at samba01:~# getent passwd jdoe
jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash

root at samba01:~# id jdoe
uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
users),11157(jdoe),3001(BUILTIN\users)

root at samba01:~# id lgaga
uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
users),11155(lgaga),3001(BUILTIN\users)

On 2020-05-01 02:00, Jelle de Jong via samba wrote:
> Hello everybody,
> 
> I am trying to use the backend = rid but it is not showing me group 
> information of the users after adding the user to the domain groups...
> 
> What should I do to have the full group info for the users available?
> 
> https://wiki.samba.org/index.php/Idmap_config_rid
> # All domain's user accounts and groups are automatically available on 
> the domain member.
> 
> root at s4ad01:~# samba-tool group listmembers "office"
> ldb_wrap open of secrets.ldb
> lgaga
> jdoe
> 
> root at samba01:~# wbinfo --group-info=office
> office:x:11106:jdoe,lgaga
> 
> oot at samba01:~# id jdoe
> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
> users),11157(jdoe),3001(BUILTIN\users)
> 
> root at samba01:~# id lgaga
> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
> users),11155(lgaga),3001(BUILTIN\users)
> 
> 
> root at samba01:~# cat /etc/samba/smb.conf
> [global]
>  ?? workgroup = SAMDOM
>  ?? security = ADS
>  ?? realm = SAMDOM.POWERCRAFT.NL
> 
>  ?? winbind refresh tickets = Yes
>  ?? vfs objects = acl_xattr
>  ?? map acl inherit = Yes
>  ?? store dos attributes = Yes
> 
>  ?? dedicated keytab file = /etc/krb5.keytab
>  ?? kerberos method = secrets and keytab
> 
>  ?? winbind use default domain = yes
> 
>  ?? load printers = no
>  ?? printing = bsd
>  ?? printcap name = /dev/null
>  ?? disable spoolss = yes
> 
>  ?? username map = /usr/local/samba/etc/user.map
> 
>  ?? log file = /var/log/samba/%m.log
>  ?? log level = 1
> 
>  ?? idmap config * : backend = tdb
>  ?? idmap config * : range = 3000-7999
> 
>  ?? idmap config SAMDOM:backend = rid
> #? idmap config SAMDOM:schema_mode = rfc2307
>  ?? idmap config SAMDOM:range = 10000-999999
> #? idmap config SAMDOM:unix_nss_info = yes
> 
>  ?? template shell = /bin/bash
>  ?? template homedir = /home/%U
> 
> #? idmap config SAMDOM:unix_primary_group = yes
> 
>  ?? winbind enum users = yes
>  ?? winbind enum groups = yes
> #? winbind expand groups = 1
>

On 02/05/2020 15:07, Jelle de Jong via samba wrote:
> Am I wrong to expect that id user and getent group should list me the 
> groups the user is part of.
>
> For example wbinfo --group-info=office shows me that user jdoe and 
> lgaga are part of the group, but then when doing id jdoe or id lgaga 
> the office group is not shown, neither in getent group.
>
> What should I change in my config to have full group information working?
>
> root at samba01:~# wbinfo --group-info=development
> development:x:11111:jdoe
>
> root at samba01:~# wbinfo --group-info=office
> office:x:11106:lgaga,jdoe
>
> root at samba01:~# getent passwd lgaga
> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash
>
> root at samba01:~# getent passwd jdoe
> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash
>
> root at samba01:~# id jdoe
> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
> users),11157(jdoe),3001(BUILTIN\users)
>
> root at samba01:~# id lgaga
> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
> users),11155(lgaga),3001(BUILTIN\users)
>
> On 2020-05-01 02:00, Jelle de Jong via samba wrote:
>> Hello everybody,
>>
>> I am trying to use the backend = rid but it is not showing me group 
>> information of the users after adding the user to the domain groups...
>>
>> What should I do to have the full group info for the users available?
Get the user to login ;-)
>>
>> https://wiki.samba.org/index.php/Idmap_config_rid
>> # All domain's user accounts and groups are automatically available
>> on the domain member.
That means that all user accounts will be shown by 'getent passwd' and 
all groups will be shown by 'getent group', it doesn't mean that
'id'
will show every group a user is a member of. You can only be sure of 
getting a full list of a users groups if the user has logged in.

Rowland

Which Debian version do you use? Because in either version (0 oer 10) in
nsswitch.conf is wirtten "files winbind" in Debian 9 it's
"compat
winbind" and in 10 it's "files systemd winbind" so you
removed (I think)
systemd maybe you should put it back in


Am 01.05.20 um 02:12 schrieb miguel medalha via samba:
>> I am trying to use the backend = rid but it is not showing me group 
>> information of the users after adding the user to the domain groups...
> 
>> root at samba01:~# id jdoe
>> root at samba01:~# id lgaga
> 
> What are your entries for 'passwd' and 'group' in
'/etc/nsswitch.conf'? I
> suppose winbind should be there. In my case:
> 
> passwd:     files winbind
> group:      files winbind
> 
> 
>