Rowland penny
2020-May-02 18:20 UTC
[Samba] default backend = rid not showing full group information for users
On 02/05/2020 18:59, Jelle de Jong via samba wrote:> On 2020-05-02 16:42, Rowland penny via samba wrote: >> On 02/05/2020 15:07, Jelle de Jong via samba wrote: >>> Am I wrong to expect that id user and getent group should list me >>> the groups the user is part of. >>> >>> For example wbinfo --group-info=office shows me that user jdoe and >>> lgaga are part of the group, but then when doing id jdoe or id lgaga >>> the office group is not shown, neither in getent group. >>> >>> What should I change in my config to have full group information >>> working? >>> >>> root at samba01:~# wbinfo --group-info=development >>> development:x:11111:jdoe >>> >>> root at samba01:~# wbinfo --group-info=office >>> office:x:11106:lgaga,jdoe >>> >>> root at samba01:~# getent passwd lgaga >>> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash >>> >>> root at samba01:~# getent passwd jdoe >>> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash >>> >>> root at samba01:~# id jdoe >>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain >>> users),11157(jdoe),3001(BUILTIN\users) >>> >>> root at samba01:~# id lgaga >>> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain >>> users),11155(lgaga),3001(BUILTIN\users) >>> >>> On 2020-05-01 02:00, Jelle de Jong via samba wrote: >>>> Hello everybody, >>>> >>>> I am trying to use the backend = rid but it is not showing me group >>>> information of the users after adding the user to the domain groups... >>>> >>>> What should I do to have the full group info for the users available? >> Get the user to login ;-) >>>> >>>> https://wiki.samba.org/index.php/Idmap_config_rid >>>> # All domain's user accounts and groups are automatically available >>>> on the domain member. >> >> That means that all user accounts will be shown by 'getent passwd' >> and all groups will be shown by 'getent group', it doesn't mean that >> 'id' will show every group a user is a member of. You can only be >> sure of getting a full list of a users groups if the user has logged in. > > So I log in as user jdoe and I still do not have access to the group...: > > jdoe at samba01:~$ getent group | grep jdoe > development:x:11111:jdoe > office:x:11106:jdoe,lgaga > domain users:x:10513:jdoe,lgaga,administrator,krbtgt > > jdoe at samba01:~$ id jdoe > uid=11157(jdoe) gid=10513(domain users) groups=10513(domain > users),11157(jdoe),3001(BUILTIN\users) > > jdoe at samba01:~$ touch test.txt > jdoe at samba01:~$ chgrp "domain users" test.txt #works!! > jdoe at samba01:~$ chgrp office test.txt > chgrp: changing group of 'test.txt': Operation not permitted > > Why are the group development and office not available for the users > part of this group? > > Kind regards, > > Jelle de Jong >I think you should show us the AD objects for 'jdoe' & 'lgaga' Rowland
Jelle de Jong
2020-May-02 18:28 UTC
[Samba] default backend = rid not showing full group information for users
On 2020-05-02 20:20, Rowland penny via samba wrote:> On 02/05/2020 18:59, Jelle de Jong via samba wrote: >> On 2020-05-02 16:42, Rowland penny via samba wrote: >>> On 02/05/2020 15:07, Jelle de Jong via samba wrote: >>>> Am I wrong to expect that id user and getent group should list me >>>> the groups the user is part of. >>>> >>>> For example wbinfo --group-info=office shows me that user jdoe and >>>> lgaga are part of the group, but then when doing id jdoe or id lgaga >>>> the office group is not shown, neither in getent group. >>>> >>>> What should I change in my config to have full group information >>>> working? >>>> >>>> root at samba01:~# wbinfo --group-info=development >>>> development:x:11111:jdoe >>>> >>>> root at samba01:~# wbinfo --group-info=office >>>> office:x:11106:lgaga,jdoe >>>> >>>> root at samba01:~# getent passwd lgaga >>>> lgaga:*:11155:10513:Lady Gaga:/home/lgaga:/bin/bash >>>> >>>> root at samba01:~# getent passwd jdoe >>>> jdoe:*:11157:10513:John Doe:/home/jdoe:/bin/bash >>>> >>>> root at samba01:~# id jdoe >>>> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain >>>> users),11157(jdoe),3001(BUILTIN\users) >>>> >>>> root at samba01:~# id lgaga >>>> uid=11155(lgaga) gid=10513(domain users) groups=10513(domain >>>> users),11155(lgaga),3001(BUILTIN\users) >>>> >>>> On 2020-05-01 02:00, Jelle de Jong via samba wrote: >>>>> Hello everybody, >>>>> >>>>> I am trying to use the backend = rid but it is not showing me group >>>>> information of the users after adding the user to the domain groups... >>>>> >>>>> What should I do to have the full group info for the users available? >>> Get the user to login ;-) >>>>> >>>>> https://wiki.samba.org/index.php/Idmap_config_rid >>>>> # All domain's user accounts and groups are automatically available >>>>> on the domain member. >>> >>> That means that all user accounts will be shown by 'getent passwd' >>> and all groups will be shown by 'getent group', it doesn't mean that >>> 'id' will show every group a user is a member of. You can only be >>> sure of getting a full list of a users groups if the user has logged in. >> >> So I log in as user jdoe and I still do not have access to the group...: >> >> jdoe at samba01:~$ getent group | grep jdoe >> development:x:11111:jdoe >> office:x:11106:jdoe,lgaga >> domain users:x:10513:jdoe,lgaga,administrator,krbtgt >> >> jdoe at samba01:~$ id jdoe >> uid=11157(jdoe) gid=10513(domain users) groups=10513(domain >> users),11157(jdoe),3001(BUILTIN\users) >> >> jdoe at samba01:~$ touch test.txt >> jdoe at samba01:~$ chgrp "domain users" test.txt #works!! >> jdoe at samba01:~$ chgrp office test.txt >> chgrp: changing group of 'test.txt': Operation not permitted >> >> Why are the group development and office not available for the users >> part of this group? >> >> Kind regards, >> >> Jelle de Jong >> > I think you should show us the AD objects for 'jdoe' & 'lgaga'root at s4ad01:~# samba-tool user show jdoe ldb_wrap open of secrets.ldb dn: CN=John Doe,CN=Users,DC=samdom,DC=powercraft,DC=nl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: John Doe givenName: John Doe instanceType: 4 whenCreated: 20200430223428.0Z displayName: John Doe uSNCreated: 6013 name: John Doe objectGUID: 39dd50a7-9759-4d94-b7d5-292b0b6685da badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-2973048184-1977035664-260764756-1157 accountExpires: 9223372036854775807 sAMAccountName: jdoe sAMAccountType: 805306368 userPrincipalName: jdoe at samdom.powercraft.nl objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=powercraft ,DC=nl loginShell: /bin/bash pwdLastSet: 132327596685766050 userAccountControl: 512 lastLogonTimestamp: 132327597082583380 homeDrive: H: homeDirectory: \\SAMBA01\users\jdoe whenChanged: 20200430231011.0Z uSNChanged: 6020 memberOf: CN=office,CN=Users,DC=samdom,DC=powercraft,DC=nl memberOf: CN=development,CN=Users,DC=samdom,DC=powercraft,DC=nl lastLogon: 132329156295792050 logonCount: 12 distinguishedName: CN=John Doe,CN=Users,DC=samdom,DC=powercraft,DC=nl root at s4ad01:~# samba-tool user show lgaga ldb_wrap open of secrets.ldb dn: CN=Lady Gaga,CN=Users,DC=samdom,DC=powercraft,DC=nl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Lady Gaga givenName: Lady Gaga instanceType: 4 whenCreated: 20200430222112.0Z displayName: Lady Gaga uSNCreated: 6002 name: Lady Gaga objectGUID: 6a86c792-c177-4797-a4fd-99c4379dab82 badPwdCount: 0 codePage: 0 countryCode: 0 homeDirectory: \\SAMBA01\users\lgaga homeDrive: H badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-2973048184-1977035664-260764756-1155 accountExpires: 9223372036854775807 sAMAccountName: lgaga sAMAccountType: 805306368 userPrincipalName: lgaga at samdom.powercraft.nl objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=powercraft ,DC=nl loginShell: /bin/bash pwdLastSet: 132327588724653300 userAccountControl: 512 lastLogonTimestamp: 132327588827098890 whenChanged: 20200430222122.0Z uSNChanged: 6006 lastLogon: 132327592186315850 logonCount: 4 memberOf: CN=office,CN=Users,DC=samdom,DC=powercraft,DC=nl distinguishedName: CN=Lady Gaga,CN=Users,DC=samdom,DC=powercraft,DC=nl Jelle de Jong
Rowland penny
2020-May-02 18:42 UTC
[Samba] default backend = rid not showing full group information for users
On 02/05/2020 19:28, Jelle de Jong via samba wrote:> root at s4ad01:~# samba-tool user show jdoeThere is no apparent reason why the groups do not work with chgrp, the only reason I can think of is that the group was created and when you tried to 'chgrp' the file, winbind read from its cache and it wasn't in the cache. Try running 'net cache flush' and then try 'chgrp' again. Rowland
Possibly Parallel Threads
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users