thr3ads.net - samba - [Samba] Samba groups vs Linux groups. [May 2021]

If this information is useful, please help other people find it:
Share via:

Jason Long

2021-May-07 08:56 UTC

[Samba] Samba groups vs Linux groups.

Hello,
When I use "samba-tool group create "GROUPNAME"" command to
create a group, then that is not a normal Linux group?
For example:

# wbinfo -g
MYDOMAIN\cert publishers
MYDOMAIN\ras and ias servers
MYDOMAIN\allowed rodc password replication group
MYDOMAIN\denied rodc password replication group
MYDOMAIN\dnsadmins
MYDOMAIN\enterprise read-only domain controllers
MYDOMAIN\domain admins
MYDOMAIN\domain users
MYDOMAIN\domain guests
MYDOMAIN\domain computers
MYDOMAIN\domain controllers
MYDOMAIN\schema admins
MYDOMAIN\enterprise admins
MYDOMAIN\group policy creator owners
MYDOMAIN\read-only domain controllers
MYDOMAIN\dnsupdateproxy
MYDOMAIN\login2

# getent group
root:x:0:
bin:x:1:
daemon:x:2:
...
user1:x:982:
login:x:1000:user2,user3
user2:x:981:
user3:x:980:


In the output of the "wbinfo -g" command, I can't see
"login" group and in the output of the "getent group"
command, I can't see "login2" group.

Thanks.

L.P.H. van Belle

2021-May-07 09:11 UTC

head link

[Samba] Samba groups vs Linux groups.

Correctly seen. 

This one is handy to know..
https://wiki.samba.org/index.php/User_and_Group_management 

In smb.conf you have these 2. 
 
    winbind enum users  = no
    winbind enum groups = no
Set to yes and you "see" the groups/users in getent 
But this slows down you samba, the system knows the users are there. 

So test with : 
    winbind enum users  = yes
    winbind enum groups = yes

And when all looks good and works, set it to no again. 
Also info here : 
https://wiki.samba.org/index.php/FAQ
Search for : winbind enumerate


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jason Long via samba
> Verzonden: vrijdag 7 mei 2021 10:57
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba groups vs Linux groups.
> 
> Hello,
> When I use "samba-tool group create "GROUPNAME""
command to
> create a group, then that is not a normal Linux group?
> For example:
> 
> # wbinfo -g
> MYDOMAIN\cert publishers
> MYDOMAIN\ras and ias servers
> MYDOMAIN\allowed rodc password replication group
> MYDOMAIN\denied rodc password replication group
> MYDOMAIN\dnsadmins
> MYDOMAIN\enterprise read-only domain controllers
> MYDOMAIN\domain admins
> MYDOMAIN\domain users
> MYDOMAIN\domain guests
> MYDOMAIN\domain computers
> MYDOMAIN\domain controllers
> MYDOMAIN\schema admins
> MYDOMAIN\enterprise admins
> MYDOMAIN\group policy creator owners
> MYDOMAIN\read-only domain controllers
> MYDOMAIN\dnsupdateproxy
> MYDOMAIN\login2
> 
> # getent group
> root:x:0:
> bin:x:1:
> daemon:x:2:
> ...
> user1:x:982:
> login:x:1000:user2,user3
> user2:x:981:
> user3:x:980:
> 
> 
> In the output of the "wbinfo -g" command, I can't see
"login"
> group and in the output of the "getent group" command, I 
> can't see "login2" group.
> 
> Thanks.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Rowland penny

2021-May-07 09:15 UTC

head link

[Samba] Samba groups vs Linux groups.

On 07/05/2021 09:56, Jason Long via samba wrote:> Hello,
> When I use "samba-tool group create "GROUPNAME""
command to create a group, then that is not a normal Linux group?

It sounds like you need to forget a lot of what you know about Samba and 
learn the new ways of doing things.

Here is an example:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
rowland at devstation:~$ cat /etc/passwd | grep rowland
rowland at devstation:~$

As you can see, I am quite clearly a Unix user, but I am not in /etc/passwd

All your users and groups are created in AD and you map them to Unix 
users and groups with the 'idmap config' lines in your smb.conf

If you do not want to add anything extra to AD, the easiest method is 
the winbind 'rid' backend, but you only get Unix IDs

If you want users to have different home dirs, shells etc, you need to 
use the 'ad' backend, but you must add rfc2307 attributes to AD

If you have trusted domains, then there is the 'autorid' backend which 
works similarly to the 'rid' backend

You can find more info here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

> For example:
>
> # wbinfo -g
> MYDOMAIN\cert publishers
> MYDOMAIN\ras and ias servers
> MYDOMAIN\allowed rodc password replication group
> MYDOMAIN\denied rodc password replication group
> MYDOMAIN\dnsadmins
> MYDOMAIN\enterprise read-only domain controllers
> MYDOMAIN\domain admins
> MYDOMAIN\domain users
> MYDOMAIN\domain guests
> MYDOMAIN\domain computers
> MYDOMAIN\domain controllers
> MYDOMAIN\schema admins
> MYDOMAIN\enterprise admins
> MYDOMAIN\group policy creator owners
> MYDOMAIN\read-only domain controllers
> MYDOMAIN\dnsupdateproxy
> MYDOMAIN\login2
>
> # getent group
> root:x:0:
> bin:x:1:
> daemon:x:2:
> ...
> user1:x:982:
> login:x:1000:user2,user3
> user2:x:981:
> user3:x:980:
>
>
> In the output of the "wbinfo -g" command, I can't see
"login" group and in the output of the "getent group"
command, I can't see "login2" group.
>
> Thanks.
>

samba - May 2021 - Samba groups vs Linux groups.

[Samba] Samba groups vs Linux groups.

[Samba] Samba groups vs Linux groups.

[Samba] Samba groups vs Linux groups.