Rowland penny
2020-May-02 14:42 UTC
[Samba] default backend = rid not showing full group information for users
On 02/05/2020 15:07, Jelle de Jong via samba wrote:> Am I wrong to expect that id user and getent group should list me the > groups the user is part of. > > For example wbinfo --group-info=office shows me that user jdoe and > lgaga are part of the group, but then when doing id jdoe or id lgaga > the office group is not shown, neither in getent group. > > What should I change in my config to have full group information working? > > root at samba01:~# wbinfo --group-info=development > development:x:11111:jdoe > > root at samba01:~# wbinfo --group-info=office > office:x:11106:lgaga,jdoe > > root at samba01:~# getent passwd lgaga > lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash > > root at samba01:~# getent passwd jdoe > jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash > > root at samba01:~# id jdoe > uid=11157(jdoe) gid=10513(domain users) groups=10513(domain > users),11157(jdoe),3001(BUILTIN\users) > > root at samba01:~# id lgaga > uid=11155(lgaga) gid=10513(domain users) groups=10513(domain > users),11155(lgaga),3001(BUILTIN\users) > > On 2020-05-01 02:00, Jelle de Jong via samba wrote: >> Hello everybody, >> >> I am trying to use the backend = rid but it is not showing me group >> information of the users after adding the user to the domain groups... >> >> What should I do to have the full group info for the users available?Get the user to login ;-)>> >> https://wiki.samba.org/index.php/Idmap_config_rid >> # All domain's user accounts and groups are automatically available >> on the domain member.That means that all user accounts will be shown by 'getent passwd' and all groups will be shown by 'getent group', it doesn't mean that 'id' will show every group a user is a member of. You can only be sure of getting a full list of a users groups if the user has logged in. Rowland
Jelle de Jong
2020-May-02 17:59 UTC
[Samba] default backend = rid not showing full group information for users
On 2020-05-02 16:42, Rowland penny via samba wrote:> On 02/05/2020 15:07, Jelle de Jong via samba wrote: >> Am I wrong to expect that id user and getent group should list me the >> groups the user is part of. >> >> For example wbinfo --group-info=office shows me that user jdoe and >> lgaga are part of the group, but then when doing id jdoe or id lgaga >> the office group is not shown, neither in getent group. >> >> What should I change in my config to have full group information working? >> >> root at samba01:~# wbinfo --group-info=development >> development:x:11111:jdoe >> >> root at samba01:~# wbinfo --group-info=office >> office:x:11106:lgaga,jdoe >> >> root at samba01:~# getent passwd lgaga >> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash >> >> root at samba01:~# getent passwd jdoe >> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash >> >> root at samba01:~# id jdoe >> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain >> users),11157(jdoe),3001(BUILTIN\users) >> >> root at samba01:~# id lgaga >> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain >> users),11155(lgaga),3001(BUILTIN\users) >> >> On 2020-05-01 02:00, Jelle de Jong via samba wrote: >>> Hello everybody, >>> >>> I am trying to use the backend = rid but it is not showing me group >>> information of the users after adding the user to the domain groups... >>> >>> What should I do to have the full group info for the users available? > Get the user to login ;-) >>> >>> https://wiki.samba.org/index.php/Idmap_config_rid >>> # All domain's user accounts and groups are automatically available >>> on the domain member. > > That means that all user accounts will be shown by 'getent passwd' and > all groups will be shown by 'getent group', it doesn't mean that 'id' > will show every group a user is a member of. You can only be sure of > getting a full list of a users groups if the user has logged in.So I log in as user jdoe and I still do not have access to the group...: jdoe at samba01:~$ getent group | grep jdoe development:x:11111:jdoe office:x:11106:jdoe,lgaga domain users:x:10513:jdoe,lgaga,administrator,krbtgt jdoe at samba01:~$ id jdoe uid=11157(jdoe) gid=10513(domain users) groups=10513(domain users),11157(jdoe),3001(BUILTIN\users) jdoe at samba01:~$ touch test.txt jdoe at samba01:~$ chgrp "domain users" test.txt #works!! jdoe at samba01:~$ chgrp office test.txt chgrp: changing group of 'test.txt': Operation not permitted Why are the group development and office not available for the users part of this group? Kind regards, Jelle de Jong
Rowland penny
2020-May-02 18:20 UTC
[Samba] default backend = rid not showing full group information for users
On 02/05/2020 18:59, Jelle de Jong via samba wrote:> On 2020-05-02 16:42, Rowland penny via samba wrote: >> On 02/05/2020 15:07, Jelle de Jong via samba wrote: >>> Am I wrong to expect that id user and getent group should list me >>> the groups the user is part of. >>> >>> For example wbinfo --group-info=office shows me that user jdoe and >>> lgaga are part of the group, but then when doing id jdoe or id lgaga >>> the office group is not shown, neither in getent group. >>> >>> What should I change in my config to have full group information >>> working? >>> >>> root at samba01:~# wbinfo --group-info=development >>> development:x:11111:jdoe >>> >>> root at samba01:~# wbinfo --group-info=office >>> office:x:11106:lgaga,jdoe >>> >>> root at samba01:~# getent passwd lgaga >>> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash >>> >>> root at samba01:~# getent passwd jdoe >>> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash >>> >>> root at samba01:~# id jdoe >>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain >>> users),11157(jdoe),3001(BUILTIN\users) >>> >>> root at samba01:~# id lgaga >>> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain >>> users),11155(lgaga),3001(BUILTIN\users) >>> >>> On 2020-05-01 02:00, Jelle de Jong via samba wrote: >>>> Hello everybody, >>>> >>>> I am trying to use the backend = rid but it is not showing me group >>>> information of the users after adding the user to the domain groups... >>>> >>>> What should I do to have the full group info for the users available? >> Get the user to login ;-) >>>> >>>> https://wiki.samba.org/index.php/Idmap_config_rid >>>> # All domain's user accounts and groups are automatically available >>>> on the domain member. >> >> That means that all user accounts will be shown by 'getent passwd' >> and all groups will be shown by 'getent group', it doesn't mean that >> 'id' will show every group a user is a member of. You can only be >> sure of getting a full list of a users groups if the user has logged in. > > So I log in as user jdoe and I still do not have access to the group...: > > jdoe at samba01:~$ getent group | grep jdoe > development:x:11111:jdoe > office:x:11106:jdoe,lgaga > domain users:x:10513:jdoe,lgaga,administrator,krbtgt > > jdoe at samba01:~$ id jdoe > uid=11157(jdoe) gid=10513(domain users) groups=10513(domain > users),11157(jdoe),3001(BUILTIN\users) > > jdoe at samba01:~$ touch test.txt > jdoe at samba01:~$ chgrp "domain users" test.txt #works!! > jdoe at samba01:~$ chgrp office test.txt > chgrp: changing group of 'test.txt': Operation not permitted > > Why are the group development and office not available for the users > part of this group? > > Kind regards, > > Jelle de Jong >I think you should show us the AD objects for 'jdoe' & 'lgaga' Rowland
miguel medalha
2020-May-02 18:53 UTC
[Samba] default backend = rid not showing full group information for users
>> That means that all user accounts will be shown by 'getent passwd' and >> all groups will be shown by 'getent group', it doesn't mean that 'id' >> will show every group a user is a member of. You can only be sure of >> getting a full list of a users groups if the user has logged in.Well, 'id' is showing me ALL the groups every single user is a member of. Even for users belonging to 5 or 6 groups. I just confirmed it and nobody is logged in today. Like the OP, I use the RID backend.
miguel medalha
2020-May-02 19:09 UTC
[Samba] default backend = rid not showing full group information for users
> Well, 'id' is showing me ALL the groups every single user is a member of.Even for users belonging to 5> or 6 groups. I just confirmed it and nobody is logged in today. Like theOP, I use the RID backend. I also confirmed that 'id' shows me all the groups of certain users that exist in AD for certain special purposes but that have NEVER logged in and never will.
Maybe Matching Threads
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users