samba - May 2021 - 'getent group mygroup' fails when 'winbind use default domain = yes'

Hi Samba-team,

I am trying to get my smb-fileserver working as domain-member in a 
samba-dc domain.

A part of smb.conf [global]:

[global]
 ??????? netbios name = GRIEG
 ??????? security = ADS
 ??????? realm = COMPOSERS.LAN
 ??????? workgroup = COMPOSERS
 ??????? vfs objects = acl_xattr
 ??????? idmap_ldb:use rfc2307 = yes
 ??????? idmap config composers:backend = ad
 ??????? idmap config composers:schema_mode = rfc2307
 ??????? idmap config composers:unix_nss_info = yes
 ??????? idmap config composers:range = 1001-999999
 ??????? idmap config *:backend = tdb
 ??????? idmap config *:range = 1000000-1999999
 ??????? #winbind cache time = 300
 ??????? winbind enum groups = yes
 ??????? winbind enum users = yes
 ??????? #winbind expand groups = 10
 ??????? #winbind normalize names = yes
 ??????? #winbind offline logon = yes
 ??????? winbind refresh tickets = yes
 ??????? #winbind scan trusted domains = yes
 ??????? winbind use default domain = yes

Some lines of /etc/nsswitch.conf:

passwd:???????? files winbind
group:????????? files winbind
shadow:???????? files
gshadow:??????? files

With 'winbind use default domain = yes', 'getent group' returns
all
groups properly, although there a slow down when it starts listing the 
domain groups. Such slow down is not visible when listing users with 
'getent passwd'.

When I do 'getent group mygroup', nothing is returned.

With winbind use default domain = no', 'getent group' still works 
properly but there is no slow down on domain groups and 'getent group 
COMPOSERS\\mygroup' now returns the group details as expected.

I would prefer to have 'winbind use default domain = yes'. What can I do
to make domain group lookups work properly?

- Kees

On 13/05/2021 17:14, Kees van Vloten via samba wrote:
> Hi Samba-team,
>
> I am trying to get my smb-fileserver working as domain-member in a 
> samba-dc domain.
>
> A part of smb.conf [global]:
>
> [global]
> ??????? netbios name = GRIEG
> ??????? security = ADS
> ??????? realm = COMPOSERS.LAN
> ??????? workgroup = COMPOSERS
> ??????? vfs objects = acl_xattr
> ??????? idmap_ldb:use rfc2307 = yes
> ??????? idmap config composers:backend = ad
> ??????? idmap config composers:schema_mode = rfc2307
> ??????? idmap config composers:unix_nss_info = yes
> ??????? idmap config composers:range = 1001-999999
> ??????? idmap config *:backend = tdb
> ??????? idmap config *:range = 1000000-1999999
> ??????? #winbind cache time = 300
> ??????? winbind enum groups = yes
> ??????? winbind enum users = yes
> ??????? #winbind expand groups = 10
> ??????? #winbind normalize names = yes
> ??????? #winbind offline logon = yes
> ??????? winbind refresh tickets = yes
> ??????? #winbind scan trusted domains = yes
> ??????? winbind use default domain = yes
>
> Some lines of /etc/nsswitch.conf:
>
> passwd:???????? files winbind
> group:????????? files winbind
> shadow:???????? files
> gshadow:??????? files
>
> With 'winbind use default domain = yes', 'getent group'
returns all
> groups properly, although there a slow down when it starts listing the 
> domain groups. Such slow down is not visible when listing users with 
> 'getent passwd'.
>
> When I do 'getent group mygroup', nothing is returned.
>
> With winbind use default domain = no', 'getent group' still
works
> properly but there is no slow down on domain groups and 'getent group 
> COMPOSERS\\mygroup' now returns the group details as expected.
>
> I would prefer to have 'winbind use default domain = yes'. What can
I
> do to make domain group lookups work properly?

To be honest, 'getent group' shouldn't work in a production domain,
for
the very reason you have found. I would remove the two 'winbind enum' 
lines, you do not need them, user & group lookup will work without them. 
You will then need to use 'getent user username' & 'getent group
groupname'. Why this isn't working for you will need more investigation:

Have you given your AD users a uidNumber attribute containing a unique 
number inside the '1001-999999' range you have set in your smb.conf ?

Speaking of which, why did you start the range at '1001' ?

Have you given Domain Users a gidNumber attribute inside the same range ?

What OS are you using ?

What version of Samba are you using ?

Rowland