samba - Jan 2025 - differences between 'getent group GROUP1' and 'sudo samba-tool group listmembers GROUP1'

On Tue, 21 Jan 2025 21:10:31 +0100
PaLi via samba <samba at lists.samba.org> wrote:
> Hello
> 
> Thank for suggestion to config fixes. Back to my original question.
> 
> Is it possible make
> 
> getent group
> 
> working on Samba 4 DC
Yes, but why ?
It isn't required for Samba to work, use 'getent group GROUPNAME'
instead.
> to return list of group members to every group line, as it does for
> group in /etc/group ?
> 
> I know that I cat get this under root account by?
> samba-tool group listmembers
> 
> But how to get members of group under non-root account?
> 
> 
> Second part of question. I've read somewhre it is better way to join
> linux clients to Samba 4 domain by sssd (than by winbind) and then 
> getent group 
> could work correctly. Is it true?
Do not ask me about sssd, I do not use it and do not see the point of
it with Samba when you also have to use winbind. sssd is a clone of
winbind.
> 
> But it cannot be case on Samba DC, right??
> I can't join DC to itself by sssd, right?
> Then how to do it?
You don't.
Why the fixation with 'getent group' ?

Rowland

On Tue, 2025-01-21 at 20:20 +0000, Rowland Penny via samba
wrote:
> On Tue, 21 Jan 2025 21:10:31 +0100
> PaLi via samba <samba at lists.samba.org> wrote:
> 
> > Hello
> > 
> > Thank for suggestion to config fixes. Back to my original question.
> > 
> > Is it possible make
> > 
> > getent group
> > 
> > working on Samba 4 DC
> 
> Yes, but why ?
> It isn't required for Samba to work, use 'getent group
GROUPNAME'
> instead.
I don't know if my question was clear enough.?
Real example could be better explanation.


real OUTPUT of samba-tool
---
$ sudo samba-tool group listmembers 'domain users'
dns-dc21
Administrator
pali
luno
peli
misi
krbtgt
dhcpduser
masi
dns-DC22


real OUTPUT of getent group
---
$ sudo getent group 'domain users'
OFFICE\domain users:x:2000:


My problem is that both tools return different result.?
(getent group -- shows no members)

Do you aggree that it is not correct behaviour?


Other example -- real situation

I will log to DC (or other linux machine joined to Samba 4) through ssh
(terminal session) as non privileged user. I want to get list of
members for group 'Domain Users'. How can I do it without 
getent group working?


Pavel
> > to return list of group members to every group line, as it does for
> > group in /etc/group ?
> > 
> > I know that I cat get this under root account by?
> > samba-tool group listmembers
> > 
> > But how to get members of group under non-root account?
> > 
> > 
> > Second part of question. I've read somewhre it is better way to
> > join
> > linux clients to Samba 4 domain by sssd (than by winbind) and then 
> > getent group 
> > could work correctly. Is it true?
> 
> Do not ask me about sssd, I do not use it and do not see the point of
> it with Samba when you also have to use winbind. sssd is a clone of
> winbind.
> 
> > 
> > But it cannot be case on Samba DC, right??
> > I can't join DC to itself by sssd, right?
> > Then how to do it?
> 
> You don't.
> Why the fixation with 'getent group' ?
> 
> Rowland
>