samba - May 2020 - default backend = rid not showing full group information for users

On 02/05/2020 19:28, Jelle de Jong via samba wrote:
> root at s4ad01:~# samba-tool user show jdoe 
There is no apparent reason why the groups do not work with chgrp, the 
only reason I can think of is that the group was created and when you 
tried to 'chgrp' the file, winbind read from its cache and it wasn't
in
the cache. Try running 'net cache flush' and then try 'chgrp'
again.

Rowland

On 2020-05-02 20:42, Rowland penny via samba wrote:
> On 02/05/2020 19:28, Jelle de Jong via samba wrote:
>> root at s4ad01:~# samba-tool user show jdoe 
> 
> There is no apparent reason why the groups do not work with chgrp, the 
> only reason I can think of is that the group was created and when you 
> tried to 'chgrp' the file, winbind read from its cache and it
wasn't in
> the cache. Try running 'net cache flush' and then try
'chgrp' again.
What should the "winbind expand groups" option be set to for a working
setup? If I remove "winbind expand groups" there are no group members 
shown at all with the "getent group" command.

root at s4ad01:~# net cache flush
root at samba01:~# net cache flush

root at samba01:~# wbinfo --group-info=development
development:x:11111:jdoe

root at samba01:~# wbinfo --group-info=office
office:x:11106:lgaga,jdoe

jdoe at samba01:~$ id jdoe
uid=11157(jdoe) gid=10513(domain users) groups=10513(domain 
users),11157(jdoe),3001(BUILTIN\users)

jdoe at samba01:~$ chgrp "office" test.txt
chgrp: changing group of 'test.txt': Operation not permitted

jdoe at samba01:~$ samba-tool --version
4.9.5-Debian

root at samba01:~# cat /etc/samba/smb.conf
[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.POWERCRAFT.NL

    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind use default domain = yes

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    username map = /usr/local/samba/etc/user.map

    log file = /var/log/samba/%m.log
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config SAMDOM:backend = rid
#  idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-999999
#  idmap config SAMDOM:unix_nss_info = yes

    template shell = /bin/bash
    template homedir = /home/%U

#  idmap config SAMDOM:unix_primary_group = yes

    winbind enum users = yes
    winbind enum groups = yes
    winbind expand groups = 1

Is this a samba bug then in version 4.9.5-Debian?

Jelle de Jong

On 02/05/2020 20:36, Jelle de Jong via samba wrote:
> On 2020-05-02 20:42, Rowland penny via samba wrote:
>> On 02/05/2020 19:28, Jelle de Jong via samba wrote:
>>> root at s4ad01:~# samba-tool user show jdoe 
>>
>> There is no apparent reason why the groups do not work with chgrp, 
>> the only reason I can think of is that the group was created and when 
>> you tried to 'chgrp' the file, winbind read from its cache and
it
>> wasn't in the cache. Try running 'net cache flush' and then
try
>> 'chgrp' again.
>
> What should the "winbind expand groups" option be set to for a
working
> setup? If I remove "winbind expand groups" there are no group
members
> shown at all with the "getent group" command.
That is because? the default 'winbind expand groups = 0' means that 
winbind doesn't query for groups, try with '2' instead.

Rowland