samba - May 2020 - default backend = rid not showing full group information for users

On 02/05/2020 15:07, Jelle de Jong via samba wrote:
> Am I wrong to expect that id user and getent group should list me the 
> groups the user is part of.
>
> For example wbinfo --group-info=office shows me that user jdoe and 
> lgaga are part of the group, but then when doing id jdoe or id lgaga 
> the office group is not shown, neither in getent group.
>
> What should I change in my config to have full group information working?
>
> root at samba01:~# wbinfo --group-info=development
> development:x:11111:jdoe
>
> root at samba01:~# wbinfo --group-info=office
> office:x:11106:lgaga,jdoe
>
> root at samba01:~# getent passwd lgaga
> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash
>
> root at samba01:~# getent passwd jdoe
> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash
>
> root at samba01:~# id jdoe
> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
> users),11157(jdoe),3001(BUILTIN\users)
>
> root at samba01:~# id lgaga
> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
> users),11155(lgaga),3001(BUILTIN\users)
>
> On 2020-05-01 02:00, Jelle de Jong via samba wrote:
>> Hello everybody,
>>
>> I am trying to use the backend = rid but it is not showing me group 
>> information of the users after adding the user to the domain groups...
>>
>> What should I do to have the full group info for the users available?
Get the user to login ;-)
>>
>> https://wiki.samba.org/index.php/Idmap_config_rid
>> # All domain's user accounts and groups are automatically available
>> on the domain member.
That means that all user accounts will be shown by 'getent passwd' and 
all groups will be shown by 'getent group', it doesn't mean that
'id'
will show every group a user is a member of. You can only be sure of 
getting a full list of a users groups if the user has logged in.

Rowland

On 2020-05-02 16:42, Rowland penny via samba wrote:
> On 02/05/2020 15:07, Jelle de Jong via samba wrote:
>> Am I wrong to expect that id user and getent group should list me the 
>> groups the user is part of.
>>
>> For example wbinfo --group-info=office shows me that user jdoe and 
>> lgaga are part of the group, but then when doing id jdoe or id lgaga 
>> the office group is not shown, neither in getent group.
>>
>> What should I change in my config to have full group information
working?
>>
>> root at samba01:~# wbinfo --group-info=development
>> development:x:11111:jdoe
>>
>> root at samba01:~# wbinfo --group-info=office
>> office:x:11106:lgaga,jdoe
>>
>> root at samba01:~# getent passwd lgaga
>> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash
>>
>> root at samba01:~# getent passwd jdoe
>> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash
>>
>> root at samba01:~# id jdoe
>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
>> users),11157(jdoe),3001(BUILTIN\users)
>>
>> root at samba01:~# id lgaga
>> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
>> users),11155(lgaga),3001(BUILTIN\users)
>>
>> On 2020-05-01 02:00, Jelle de Jong via samba wrote:
>>> Hello everybody,
>>>
>>> I am trying to use the backend = rid but it is not showing me group
>>> information of the users after adding the user to the domain
groups...
>>>
>>> What should I do to have the full group info for the users
available?
> Get the user to login ;-)
>>>
>>> https://wiki.samba.org/index.php/Idmap_config_rid
>>> # All domain's user accounts and groups are automatically
available
>>> on the domain member.
> 
> That means that all user accounts will be shown by 'getent passwd'
and
> all groups will be shown by 'getent group', it doesn't mean
that 'id'
> will show every group a user is a member of. You can only be sure of 
> getting a full list of a users groups if the user has logged in.
So I log in as user jdoe and I still do not have access to the group...:

jdoe at samba01:~$ getent group | grep jdoe
development:x:11111:jdoe
office:x:11106:jdoe,lgaga
domain users:x:10513:jdoe,lgaga,administrator,krbtgt

jdoe at samba01:~$ id jdoe
uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
users),11157(jdoe),3001(BUILTIN\users)

jdoe at samba01:~$ touch test.txt
jdoe at samba01:~$ chgrp "domain users" test.txt #works!!
jdoe at samba01:~$ chgrp office test.txt
chgrp: changing group of 'test.txt': Operation not permitted

Why are the group development and office not available for the users 
part of this group?

Kind regards,

Jelle de Jong

On 02/05/2020 18:59, Jelle de Jong via samba wrote:
> On 2020-05-02 16:42, Rowland penny via samba wrote:
>> On 02/05/2020 15:07, Jelle de Jong via samba wrote:
>>> Am I wrong to expect that id user and getent group should list me 
>>> the groups the user is part of.
>>>
>>> For example wbinfo --group-info=office shows me that user jdoe and 
>>> lgaga are part of the group, but then when doing id jdoe or id
lgaga
>>> the office group is not shown, neither in getent group.
>>>
>>> What should I change in my config to have full group information 
>>> working?
>>>
>>> root at samba01:~# wbinfo --group-info=development
>>> development:x:11111:jdoe
>>>
>>> root at samba01:~# wbinfo --group-info=office
>>> office:x:11106:lgaga,jdoe
>>>
>>> root at samba01:~# getent passwd lgaga
>>> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash
>>>
>>> root at samba01:~# getent passwd jdoe
>>> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash
>>>
>>> root at samba01:~# id jdoe
>>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
>>> users),11157(jdoe),3001(BUILTIN\users)
>>>
>>> root at samba01:~# id lgaga
>>> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain 
>>> users),11155(lgaga),3001(BUILTIN\users)
>>>
>>> On 2020-05-01 02:00, Jelle de Jong via samba wrote:
>>>> Hello everybody,
>>>>
>>>> I am trying to use the backend = rid but it is not showing me
group
>>>> information of the users after adding the user to the domain
groups...
>>>>
>>>> What should I do to have the full group info for the users
available?
>> Get the user to login ;-)
>>>>
>>>> https://wiki.samba.org/index.php/Idmap_config_rid
>>>> # All domain's user accounts and groups are automatically
available
>>>> on the domain member.
>>
>> That means that all user accounts will be shown by 'getent
passwd'
>> and all groups will be shown by 'getent group', it doesn't
mean that
>> 'id' will show every group a user is a member of. You can only
be
>> sure of getting a full list of a users groups if the user has logged
in.
>
> So I log in as user jdoe and I still do not have access to the group...:
>
> jdoe at samba01:~$ getent group | grep jdoe
> development:x:11111:jdoe
> office:x:11106:jdoe,lgaga
> domain users:x:10513:jdoe,lgaga,administrator,krbtgt
>
> jdoe at samba01:~$ id jdoe
> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
> users),11157(jdoe),3001(BUILTIN\users)
>
> jdoe at samba01:~$ touch test.txt
> jdoe at samba01:~$ chgrp "domain users" test.txt #works!!
> jdoe at samba01:~$ chgrp office test.txt
> chgrp: changing group of 'test.txt': Operation not permitted
>
> Why are the group development and office not available for the users 
> part of this group?
>
> Kind regards,
>
> Jelle de Jong
>
I think you should show us the AD objects for 'jdoe' &
'lgaga'

Rowland

>> That means that all user accounts will be shown by 'getent
passwd' and
>> all groups will be shown by 'getent group', it doesn't mean
that 'id'
>> will show every group a user is a member of. You can only be sure of 
>> getting a full list of a users groups if the user has logged in.
Well, 'id' is showing me ALL the groups every single user is a member
of.
Even for users belonging to 5 or 6 groups. I just confirmed it and nobody is
logged in today. Like the OP, I use the RID backend.

> Well, 'id' is showing me ALL the groups every single user is a
member of.
Even for users belonging to 5 
> or 6 groups. I just confirmed it and nobody is logged in today. Like the
OP, I use the RID backend.

I also confirmed that 'id' shows me all the groups of certain users that
exist in AD for certain special purposes but that have NEVER logged in and
never will.