samba - Jul 2022 - Winbind missing secondary groups

I found the culprit!

I removed this line from my /etc/nsswitch.conf:

initgroups = files

My secondary groups magically appeared when I typed ?id?.

I think that I?m finally ready to get rid of SSSD
> On Jul 27, 2022, at 4:53 PM, Luc Lalonde via samba <samba at
lists.samba.org> wrote:
> 
> Signed PGP part
> Yeah, I'm really stumped...
> 
> I've got the same version of Samba as you (4.15.6) on a Debian 11.
> 
> On 2022-07-27 16:24, Rowland Penny via samba wrote:
>> On Wed, 2022-07-27 at 16:05 -0400, Luc Lalonde via samba wrote:
>>> I corrected all the errors you mentionned in my config... Still a
no
>>> go
>>> for secondary groups.
>>> 
>>> Other answers below:
>>> 
>>> On 2022-07-27 15:19, Rowland Penny via samba wrote:
>>>> Does 'Domain Users' have a gidNumber ?
>>> No, but I tried setting one... changes nothing (after restarting
>>> smbd,
>>> winbind, net cache flush)
>>>> Do all your users have a uidNumber & gidNumber ?
>>> Yes
>>>> Do all your groups have a gidNumber ?
>>> Yes
>>>> Are all these numbers inside the 1000-999999 range ?
>>> Yes
>> Strange, what version of Samba is this ?
>> 
>> I am using 4.15.7 with these lines in smb.conf:
>> 
>>   winbind expand groups = 2
>>   ....................
>>   idmap config * : backend = tdb
>>   idmap config * : range = 3000-7999
>>   idmap config SAMDOM : backend  = ad
>>   idmap config SAMDOM : schema_mode = rfc2307
>>   idmap config SAMDOM : unix_nss_info = yes
>>   idmap config SAMDOM : range = 10000-999999
>> 
>> and I get this:
>> 
>> rowland at devstation:~$ id
>> uid=10000(rowland) gid=10000(domain users) groups=10000(domain
>> users),102(netdev),1001(unixtest),2000(BUILTIN\administrators),2001(BUI
>> LTIN\users),10002(unixgroup),10004(testgroup),10010(group12),10011(prin
>> teradmin),10012(ridtest),10013(wingroup),10014(wingroup1),10015(nesttes
>> ta),10016(nesttestb),10017(grouptest2),10021(ftpgroup),10022(wingroup2)
>> ,10024(unix admins),10030(sam_shares),10032(sshgroup),10035(vpnusers)
>> 
>> The only real difference is that I do not use 'unix_primary_group
>> yes'
>> 
>> As you can see, I get a lot of groups. I would double check everything.
>> 
>> Rowland
>> 
>> 
>> 
> --
> Luc Lalonde, analyste
> -----------------------------
> D?partement de g?nie informatique:
> ?cole polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20220728/28cf22dc/signature.sig>

On 7/29/22 02:30, Luc Lalonde via samba wrote:
> I found the culprit!
> 
> I removed this line from my /etc/nsswitch.conf:
> 
> initgroups = files
> 
> My secondary groups magically appeared when I typed ?id?.
omg, that one... we even have this mentioned in the wiki. Not sure, 
Rowland, was it you who added it? Could as well have been me as I 
remember having run into this a while ago.

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Search for initgroups...

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20220729/6b97b1df/OpenPGP_signature.sig>