samba - Jan 2025 - differences between 'getent group GROUP1' and 'sudo samba-tool group listmembers GROUP1'

Hello

Thank for suggestion to config fixes. Back to my original question.

Is it possible make

getent group

working on Samba 4 DC
to return list of group members to every group line, as it does for
group in /etc/group ?

I know that I cat get this under root account by?
samba-tool group listmembers

But how to get members of group under non-root account?


Second part of question. I've read somewhre it is better way to join
linux clients to Samba 4 domain by sssd (than by winbind) and then 
getent group 
could work correctly. Is it true?

But it cannot be case on Samba DC, right??
I can't join DC to itself by sssd, right?
Then how to do it?

Pavel


On Mon, 2025-01-20 at 21:16 +0000, Rowland Penny via samba
wrote:
> On Mon, 20 Jan 2025 21:56:17 +0100
> PaLi via samba <samba at lists.samba.org> wrote:
> 
> > Hello
> > 
> > I'm confused. On new installation of Samba 4 domain I have some
> > configuration problem. 
> > 
> > samba release: Version 4.19.5-Ubuntu
> > 
> > * example for user "pali"
> > 
> > * returns members of this group
> > $ sudo samba-tool group listmembers GROUP1 
> > ...
> > pali
> > ...
> > 
> > * no users in group?
> > -- returns correct info (name, gid) except group members - it is
> > empty
> > $ getent group GROUP1
> > -- EMPTY --
> > 
> > * but "groups" shows all groups 
> > $ groups pali
> > ... GROUP1 ...
> > 
> > How it could be possible?
> > Where could I search for configuration mistake?
> > 
> > /etc/samba/smb.conf:
> > 
> > [global]
> > ?? bind interfaces only = Yes
> > ?? dns forwarder = 8.8.8.8
> > ?? interfaces = lo enp1s0
> > ?? netbios name = DC11
> > ?? realm = OFFICE.SOMEDOMAIN.COM
> > ?? server role = active directory domain controller
> > ?? workgroup = OFFICE
> > ?? idmap_ldb:use rfc2307 = yes
> > ?? winbind enum groups = Yes
> > ?? winbind enum users = Yes
> 
> I would remove those 'enum' lines, you do not need them
> 
> > ?? winbind use default domain = yes
> 
> You might as well remove that line. it does nothing on a DC
> 
> > ?? # glob_winbind: - - - - - - - end
> > ?? # glob_template: - - - - - - begin
> > ?? template shell = /bin/bash
> > ?? template homedir = /home/%D/%U
> 
> The template homedir is the default
> 
> > ?? # glob_template: - - - - - - - end
> > ?? # glob_acl: - - - - - - begin
> > ?? vfs objects = acl_xattr
> 
> OH DEAR, you MUST remove that line, it as turned off one of the DCs
> default vfs objects
> 
> > ?? map acl inherit = yes
> > ?? store dos attributes = yes
> 
> You should remove those lines, they shouldn't be in a DCs smb.conf
> 
> Rowland
>

On Tue, 21 Jan 2025 21:10:31 +0100
PaLi via samba <samba at lists.samba.org> wrote:
> Hello
> 
> Thank for suggestion to config fixes. Back to my original question.
> 
> Is it possible make
> 
> getent group
> 
> working on Samba 4 DC
Yes, but why ?
It isn't required for Samba to work, use 'getent group GROUPNAME'
instead.
> to return list of group members to every group line, as it does for
> group in /etc/group ?
> 
> I know that I cat get this under root account by?
> samba-tool group listmembers
> 
> But how to get members of group under non-root account?
> 
> 
> Second part of question. I've read somewhre it is better way to join
> linux clients to Samba 4 domain by sssd (than by winbind) and then 
> getent group 
> could work correctly. Is it true?
Do not ask me about sssd, I do not use it and do not see the point of
it with Samba when you also have to use winbind. sssd is a clone of
winbind.
> 
> But it cannot be case on Samba DC, right??
> I can't join DC to itself by sssd, right?
> Then how to do it?
You don't.
Why the fixation with 'getent group' ?

Rowland