Fwd: Samba4 how to list all members of a group

[steve]

Hi
Sorry to forward but I had no luck with this on the samba list.
On s4 at the cli, is it possible to get a list of members of say, Domain
Users?
Steve

-------- Original Message --------
Subject: Samba4 how to list all members of a group
Date: Fri, 27 Apr 2012 20:13:55 +0200
From: steve <st...@steve-ss.com>
To: sa...@lists.samba.org



Version 4.0.0alpha20-GIT-1fbc185
On the Linux dc.

Thanks,
Steve

[Lukasz Zalewski]

On 30/04/12 10:20, steve wrote:
> Hi
> Sorry to forward but I had no luck with this on the samba list.
> On s4 at the cli, is it possible to get a list of members of say, Domain
> Users?
> Steve
>

Hi Steve,
For Domain Users you can try:

/usr/local/samba/bin/ldbsearch -a -H /usr/local/samba/private/sam.ldb
'(|(primaryGroupID=513)(memberOf=CN=Domain Users,CN=Users,DC=...))' dn

or using ldapsearch:
ldapsearch -h mys4dc -b 'DC=<my search base>'
'(|(primaryGroupID=513)(memberOf=CN=Domain Users,CN=Users,DC=...))' dn

Similarly for Domain Computers (using primaryGroupID=515 filter and
appropriate memberOf=CN=Domain Computers,CN=Users,DC=...).

You can probably tweak the filter a bit more to further constrain the
search.

These might be other, more elegant solutions though

HTH

L

[steve]

On 30/04/12 14:10, Lukasz Zalewski wrote:
> On 30/04/12 10:20, steve wrote:
>> Hi
>> Sorry to forward but I had no luck with this on the samba list.
>> On s4 at the cli, is it possible to get a list of members of say, Domain
>> Users?
>> Steve
>>
>
> Hi Steve,
> For Domain Users you can try:
>
> /usr/local/samba/bin/ldbsearch -a -H /usr/local/samba/private/sam.ldb
> '(|(primaryGroupID=513)(memberOf=CN=Domain Users,CN=Users,DC=...))' dn
>

Hi Lukasz
Yes. That gets us there. Thanks.

I can only think that this is not something I should need to do.

Cheers,
Steve

[Lukasz Zalewski]

Hi Steve,
Where you thinking more of the samba-tool option, i.e.
samba-tool group listmembers <grouname>?

L

[steve]

Yes, but listmembers is an error:

samba-tool group listmembers foo bar
Usage: samba-tool group <subcommand>

Available subcommands:
add - Creates a new AD group
addmembers - Add members to an AD group
delete - Deletes an AD group
list - List all groups
removemembers - Remove members from an AD group
ERROR: No such subcommand 'listmembers'

Cheers,
Steve

[Lukasz Zalewski]

Sorry Steve,
This was just a question if you would like this functionality (or think
that it should be available) through samba-tool, rather than description
of an existing command.

L

[Quinn Fissler]

On 30 April 2012 15:23, Lukasz Zalewski <lu...@eecs.qmul.ac.uk> wrote:

> On 30/04/12 15:18, steve wrote:
>
>> On 30/04/12 15:59, Lukasz Zalewski wrote:
>>
>>> On 30/04/12 14:47, steve wrote:
>>>
>>>> On 30/04/12 14:10, Lukasz Zalewski wrote:
>>>>
>>>>> On 30/04/12 10:20, steve wrote:
>>>>>
>>>>>> Hi
>>>>>> Sorry to forward but I had no luck with this on the samba list.
>>>>>> On s4 at the cli, is it possible to get a list of members of say,
>>>>>> Domain
>>>>>> Users?
>>>>>> Steve
>>>>>>
>>>>>>
>>>>> Hi Steve,
>>>>> For Domain Users you can try:
>>>>>

>>>>> /usr/local/samba/bin/ldbsearch -a -H /usr/local/samba/private/sam.**
>>>>> ldb
>>>>> '(|(primaryGroupID=513)(**memberOf=CN=Domain Users,CN=Users,DC=...))'

>>>>> dn
>>>>>
>>>>> Hi Lukasz
>>>> Yes. That gets us there. Thanks.
>>>>
>>>> I can only think that this is not something I should need to do.
>>>>
>>>> Cheers,
>>>> Steve
>>>>
>>>>
>>> Hi Steve,
>>> Where you thinking more of the samba-tool option, i.e.
>>> samba-tool group listmembers <grouname>?
>>>
>>> L
>>>
>> Yes, but listmembers is an error:
>>
>>
> Sorry Steve,
> This was just a question if you would like this functionality (or think
> that it should be available) through samba-tool, rather than description of
> an existing command.
>
> L
>

Shouldn't

getent group Domain\ Users

do it?

(I don't have a samba system to hand to test)

[Matthieu Patou]

> Shouldn't
>
> getent group Domain\ Users
>
> do it?

Only if you configured your box to use nss_winbindd, in this case getent
passwd will query samba for groups, by default it's not configured (and
not working well with samba4).

Matthieu

--
Matthieu Patou
Samba Team
http://samba.org

[steve]

On 04/30/2012 06:37 PM, Matthieu Patou wrote:
>
>> Shouldn't
>>
>> getent group Domain\ Users
>>
>> do it?
> Only if you configured your box to use nss_winbindd, in this case
> getent passwd will query samba for groups, by default it's not
> configured (and not working well with samba4).
>
> Matthieu
>

No.
getent group only lists groups, not members therein. For that, you don't
necessarily need nss-winbindd. We use the new nss-pam-ldapd fork of
nss-ldap which well with the s4 LDAP.
Cheers,
Steve

[steve]

On 04/30/2012 04:23 PM, Lukasz Zalewski wrote:
> On 30/04/12 15:18, steve wrote:
>> On 30/04/12 15:59, Lukasz Zalewski wrote:
>>> On 30/04/12 14:47, steve wrote:
>>>> On 30/04/12 14:10, Lukasz Zalewski wrote:
>>>>> On 30/04/12 10:20, steve wrote:
>>>>>> Hi
>>>>>> Sorry to forward but I had no luck with this on the samba list.
>>>>>> On s4 at the cli, is it possible to get a list of members of say,
>>>>>> Domain
>>>>>> Users?
>>>>>> Steve
>>>>>>
>>>>>
>>>>> Hi Steve,
>>>>> For Domain Users you can try:
>>>>>

>>>>> /usr/local/samba/bin/ldbsearch -a -H /usr/local/samba/private/sam.ldb
>>>>> '(|(primaryGroupID=513)(memberOf=CN=Domain

>>>>> Users,CN=Users,DC=...))' dn
>>>>>
>>>> Hi Lukasz
>>>> Yes. That gets us there. Thanks.
>>>>
>>>> I can only think that this is not something I should need to do.
>>>>
>>>> Cheers,
>>>> Steve
>>>>
>>>
>>> Hi Steve,
>>> Where you thinking more of the samba-tool option, i.e.
>>> samba-tool group listmembers <grouname>?
>>>
>>> L
>> Yes, but listmembers is an error:
>>
>
> Sorry Steve,
> This was just a question if you would like this functionality (or
> think that it should be available) through samba-tool, rather than
> description of an existing command.
>
> L

Hi
Ah, I see. Yes. I certainly feel it would be a worthwhile addition to
samba-tool. You already have the code. With a bit of cut and grep we
could get it to list just the names of the members too:-)
Cheers,
Steve

[steve]

On 04/30/2012 03:47 PM, steve wrote:
> On 30/04/12 14:10, Lukasz Zalewski wrote:
>> On 30/04/12 10:20, steve wrote:
>>> Hi
>>> Sorry to forward but I had no luck with this on the samba list.
>>> On s4 at the cli, is it possible to get a list of members of say,
>>> Domain
>>> Users?
>>> Steve
>>>
>>
>> Hi Steve,
>> For Domain Users you can try:
>>
>> /usr/local/samba/bin/ldbsearch -a -H /usr/local/samba/private/sam.ldb
>> '(|(primaryGroupID=513)(memberOf=CN=Domain Users,CN=Users,DC=...))' dn
>>
> Hi Lukasz
> Yes. That gets us there. Thanks.
>
> I can only think that this is not something I should need to do.
>
> Cheers,
> Steve
Hi

Can anyone do any better than this mess?!

function listgroup {
#lists members of a group
# $1 is the name of the group
# get the gid
strgid=$(wbinfo --group-info="$1")
gid=$(echo $strgid | cut -d ":" -f 3)
#get the group from the sid
strsid=$(wbinfo --gid-to-sid=$gid)
primarygid=$(echo $strsid | cut -d "-" -f 8)
#$db is your ldap://fqdn and $auth if the kerberos ccacche= stuff
ldbsearch --url=$db $auth
"(|(primaryGroupID=$primarygid)(memberOf=CN=$1,CN=Users,$basedn))" dn |
grep CN | cut -d ":" -f2 | cut -d "=" -f2 | cut -d "," -f1 | grep -v ldap
}

Cheers,
Steve

[Lukasz Zalewski]

Hi Steve,
the listmembers option is now part of samba-tool and members are listed
according to their samAccountName (or cn if samAccountName attribute is
not available):
./samba-tool group listmembers
Usage: samba-tool group listmembers <groupname> [options]

Regards

L

[steve]

Hi Lukasz
Works perfectly. I never thought to try it, even on my new build.
Thanks again,
Steve