samba - Jan 2025 - differences between 'getent group GROUP1' and 'sudo samba-tool group listmembers GROUP1'

Hello

I'm confused. On new installation of Samba 4 domain I have some
configuration problem. 

samba release: Version 4.19.5-Ubuntu

* example for user "pali"

* returns members of this group
$ sudo samba-tool group listmembers GROUP1 
...
pali
...

* no users in group?
-- returns correct info (name, gid) except group members - it is empty
$ getent group GROUP1
-- EMPTY --

* but "groups" shows all groups 
$ groups pali
... GROUP1 ...

How it could be possible?
Where could I search for configuration mistake?

/etc/samba/smb.conf:

[global]
   bind interfaces only = Yes
   dns forwarder = 8.8.8.8
   interfaces = lo enp1s0
   netbios name = DC11
   realm = OFFICE.SOMEDOMAIN.COM
   server role = active directory domain controller
   workgroup = OFFICE
   idmap_ldb:use rfc2307 = yes
   # glob_winbind: - - - - - - begin
   winbind enum groups = Yes
   winbind enum users = Yes
   winbind use default domain = yes
   # glob_winbind: - - - - - - - end
   # glob_template: - - - - - - begin
   template shell = /bin/bash
   template homedir = /home/%D/%U
   # glob_template: - - - - - - - end
   # glob_acl: - - - - - - begin
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   # glob_acl: - - - - - - - end

  # log level = 0
   # log file = /var/log/samba/log.%J
   # log level = all:2 auth:3 locking:2



Any tips?

Pavel

On Mon, 20 Jan 2025 21:56:17 +0100
PaLi via samba <samba at lists.samba.org> wrote:
> Hello
> 
> I'm confused. On new installation of Samba 4 domain I have some
> configuration problem. 
> 
> samba release: Version 4.19.5-Ubuntu
> 
> * example for user "pali"
> 
> * returns members of this group
> $ sudo samba-tool group listmembers GROUP1 
> ...
> pali
> ...
> 
> * no users in group?
> -- returns correct info (name, gid) except group members - it is empty
> $ getent group GROUP1
> -- EMPTY --
> 
> * but "groups" shows all groups 
> $ groups pali
> ... GROUP1 ...
> 
> How it could be possible?
> Where could I search for configuration mistake?
> 
> /etc/samba/smb.conf:
> 
> [global]
>    bind interfaces only = Yes
>    dns forwarder = 8.8.8.8
>    interfaces = lo enp1s0
>    netbios name = DC11
>    realm = OFFICE.SOMEDOMAIN.COM
>    server role = active directory domain controller
>    workgroup = OFFICE
>    idmap_ldb:use rfc2307 = yes
>    winbind enum groups = Yes
>    winbind enum users = Yes
I would remove those 'enum' lines, you do not need them
>    winbind use default domain = yes
You might as well remove that line. it does nothing on a DC
>    # glob_winbind: - - - - - - - end
>    # glob_template: - - - - - - begin
>    template shell = /bin/bash
>    template homedir = /home/%D/%U
The template homedir is the default
>    # glob_template: - - - - - - - end
>    # glob_acl: - - - - - - begin
>    vfs objects = acl_xattr
OH DEAR, you MUST remove that line, it as turned off one of the DCs
default vfs objects
>    map acl inherit = yes
>    store dos attributes = yes
You should remove those lines, they shouldn't be in a DCs smb.conf

Rowland