samba - Feb 2025 - Reported group membership is different between domain member and Samba ADC

On 2/14/25 11:22, Rowland Penny via samba wrote:
> Well yes, you can do it that way, but there is an easier way.
> There is a group in AD called 'Domain Admins'
> Add any AD users that you want to be domain administrators to that
> group, then, using visudo add this line to the sudo config:
>
> %SAMDOM\\domain\ admins ALL=(ALL:ALL) ALL
>
> Where 'SAMDOM' is your NetBIOS domain name.
>
> Check that your users are members of Domain Admins, you can do this
> with 'getent group domain\ admins'
>
> Now when they log in your domain administrators will be able to use
> sudo.
>
> For extra brownie points, you could store the sudo rules in AD ;-)
>
> Rowland
>
As it turns out, I still have the same issue:

 ??? dc1 ~ # samba-tool group addmembers "Domain Admins" jgraham
 ??? Added members to group Domain Admins
 ??? dc1 ~ # net cache flush
 ??? dc1 ~ # samba-tool group listmembers 'domain admins'
 ??? jgraham
 ??? Administrator

And yet:

 ??? dc1 ~ # id HOME\\jgraham
 ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) 
groups=10513(SAMDOM\domain users),3000020,3000006(BUILTIN\users)

and also, logged in as me instead of root:

 ??? SAMDOM\jgraham at dc1 ~ $ getent group domain\ admins
 ??? SAMDOM\domain admins:x:3000000:

So, for an undiagnosed reason, the effective domain membership does not 
include "domain admins" either.

- John

On Fri, 14 Feb 2025 12:14:18 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 2/14/25 11:22, Rowland Penny via samba wrote:
> > Well yes, you can do it that way, but there is an easier way.
> > There is a group in AD called 'Domain Admins'
> > Add any AD users that you want to be domain administrators to that
> > group, then, using visudo add this line to the sudo config:
> >
> > %SAMDOM\\domain\ admins ALL=(ALL:ALL) ALL
> >
> > Where 'SAMDOM' is your NetBIOS domain name.
> >
> > Check that your users are members of Domain Admins, you can do this
> > with 'getent group domain\ admins'
> >
> > Now when they log in your domain administrators will be able to use
> > sudo.
> >
> > For extra brownie points, you could store the sudo rules in AD ;-)
> >
> > Rowland
> >
> As it turns out, I still have the same issue:
> 
>  ??? dc1 ~ # samba-tool group addmembers "Domain Admins" jgraham
>  ??? Added members to group Domain Admins
>  ??? dc1 ~ # net cache flush
>  ??? dc1 ~ # samba-tool group listmembers 'domain admins'
>  ??? jgraham
>  ??? Administrator
> 
> And yet:
> 
>  ??? dc1 ~ # id HOME\\jgraham
>  ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) 
> groups=10513(SAMDOM\domain users),3000020,3000006(BUILTIN\users)
> 
> and also, logged in as me instead of root:
> 
>  ??? SAMDOM\jgraham at dc1 ~ $ getent group domain\ admins
>  ??? SAMDOM\domain admins:x:3000000:
> 
> So, for an undiagnosed reason, the effective domain membership does
> not include "domain admins" either.
> 
> - John
OK, I will diagnose it ;-)

open a terminal on the DC, enter 'man smb.conf', press enter and then
go to 'winbind expand groups', read that, it will explain why you are
not getting any group members.

Rowland