Rowland penny
2021-May-13 17:43 UTC
[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'
On 13/05/2021 17:47, Kees van Vloten wrote:> > Hi Rowland, > > Sorry about the incomplete info. > > I am using Samba 4.14 from Louis' repo on Debian buster. > > There are no local users above 1000 and indeed all users uidNumber and > gidNumber set and all groups that can appear as a unix-group have a > gidNumber. > > An example of something that works: > > id test3 > uid=2000(test3) gid=2000(grp_test3) > groups=2000(grp_test3),100016(domain > users),100014(acl-smb_share_group-full),100002(acl-servers_all-user_access),100003(acl-servers_all-sudo_root),100012(acl-smb_share_windows_deploy-full),100009(acl-app_wireshark-access),100008(acl-app_netdata-access),100018(acl-app_rspamd-access),100017(acl-app_servicedesk-access),1000001(BUILTIN\users) > > Then when I try 'chgrp grp_test3 testfile' that fails because 'getent > group grp_test3' fails. > > > - Kees. > >OK, First, remove this line: idmap_ldb:use rfc2307 = yes It should only be in a DC smb.conf I don't think it has anything to do with your problem, but it shouldn't be there. Lets double check the gidNumber attributes are there: ldbsearch -H ldap://$(hostname -s) -b "$(echo "dc=$(hostname -d)" | sed 's/\./,dc=/g')" -s sub '(&(objectClass=group)(sAMAccountName=Domain Users))' gidNumber -P | grep 'gidNumber' | sed 's/gidNumber: //' This should result in '100016' ldbsearch -H ldap://$(hostname -s) -b "$(echo "dc=$(hostname -d)" | sed 's/\./,dc=/g')" -s sub '(&(objectClass=group)(sAMAccountName=grp_test3))' gidNumber -P | grep 'gidNumber' | sed 's/gidNumber: //' This should result in '2000' Lets go from there. Rowland
Rowland penny
2021-May-13 18:07 UTC
[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'
On 13/05/2021 18:43, Rowland penny via samba wrote:> On 13/05/2021 17:47, Kees van Vloten wrote: >> >> Hi Rowland, >> >> Sorry about the incomplete info. >> >> I am using Samba 4.14 from Louis' repo on Debian buster. >> >> There are no local users above 1000 and indeed all users uidNumber >> and gidNumber set and all groups that can appear as a unix-group have >> a gidNumber. >> >> An example of something that works: >> >> id test3 >> uid=2000(test3) gid=2000(grp_test3) >> groups=2000(grp_test3),100016(domain >> users),100014(acl-smb_share_group-full),100002(acl-servers_all-user_access),100003(acl-servers_all-sudo_root),100012(acl-smb_share_windows_deploy-full),100009(acl-app_wireshark-access),100008(acl-app_netdata-access),100018(acl-app_rspamd-access),100017(acl-app_servicedesk-access),1000001(BUILTIN\users) >> >> Then when I try 'chgrp grp_test3 testfile' that fails because 'getent >> group grp_test3' fails. >> >> >> - Kees. >> >> > > OK, First, remove this line: idmap_ldb:use rfc2307 = yes > It should only be in a DC smb.conf > I don't think it has anything to do with your problem, but it > shouldn't be there. > > Lets double check the gidNumber attributes are there: > > ldbsearch -H ldap://$(hostname -s) -b "$(echo "dc=$(hostname -d)" | > sed 's/\./,dc=/g')" -s sub > '(&(objectClass=group)(sAMAccountName=Domain Users))' gidNumber -P | > grep 'gidNumber' | sed 's/gidNumber: //' > > This should result in '100016' > > ldbsearch -H ldap://$(hostname -s) -b "$(echo "dc=$(hostname -d)" | > sed 's/\./,dc=/g')" -s sub > '(&(objectClass=group)(sAMAccountName=grp_test3))' gidNumber -P | grep > 'gidNumber' | sed 's/gidNumber: //' > > This should result in '2000' > > Lets go from there. > > Rowland > >OOPs, I should have said to run the ldbsearch commands on a DC Rowland