Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] samba4 missing group membership with getent group
1,643 views
Skip to first unread message
Philippe...@swisscom.com
Jun 21, 2013, 2:30:01 AM6/21/13
to
Hi Samba users
using samba 4.0.6, having /etc/nsswitch.conf that use winbind,
<getent group> does not display the group members.
to reproduce that : (my domain is test3.ch)
samba-tool user add u1
samba-tool group add g1
samba-tool group addmembers g1 u1
<id u1> returns :
uid=3000026(TEST3\u1) gid=100(users) groups=100(users),3000027(TEST3\g1)
but <getent group> does not return group/user membership :
TEST3\g1:*:3000027:
any advices ?
Philippe Simonet
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
using samba 4.0.6, having /etc/nsswitch.conf that use winbind,
<getent group> does not display the group members.
to reproduce that : (my domain is test3.ch)
samba-tool user add u1
samba-tool group add g1
samba-tool group addmembers g1 u1
<id u1> returns :
uid=3000026(TEST3\u1) gid=100(users) groups=100(users),3000027(TEST3\g1)
but <getent group> does not return group/user membership :
TEST3\g1:*:3000027:
any advices ?
Philippe Simonet
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Jun 21, 2013, 3:40:02 AM6/21/13
to
On Fri, 2013-06-21 at 06:23 +0000, Philippe...@swisscom.com wrote:
> Hi Samba users
>
> but <getent group> does not return group/user membership :
> TEST3\g1:*:3000027:
>
> any advices ?
It doesn't work for groups:(
use:
getent group TEST\g1
hth
Steve
> Hi Samba users
>
> but <getent group> does not return group/user membership :
> TEST3\g1:*:3000027:
>
> any advices ?
use:
getent group TEST\g1
hth
Steve
Philippe...@swisscom.com
Jun 21, 2013, 4:40:02 AM6/21/13
to
Hi Steve
<getent group TEST3\g1> give an empty result, and <getent group TEST3\\g1> with the same result as <getent group g1>, without user/group membership.
in fact my problem goes further : shares access control (write list, ...) does not work for @g1, only with u1 ...
Philippe
<getent group TEST3\g1> give an empty result, and <getent group TEST3\\g1> with the same result as <getent group g1>, without user/group membership.
in fact my problem goes further : shares access control (write list, ...) does not work for @g1, only with u1 ...
Philippe
Rowland Penny
Jun 21, 2013, 5:20:01 AM6/21/13
to
Hi, well yet another reason to use sssd instead of winbind. When I turned
on winbind in /etc/nsswitch.conf on my test S4 server, I get:
id user
uid=3001106(HOME\user) gid=20513(HOME\Domain Users)
groups=20513(HOME\Domain Users),21110(HOME\linuxusers)
getent group linuxusers
HOME\linuxusers:*:21110:
But when I turn sssd back on instead of winbind:
id user
uid=3001106(user) gid=20513(Domain Users) groups=20513(Domain
Users),21110(linuxusers)
getent group linuxusers
linuxusers:*:21110:user
Oh look, getent displays group users!
Also I would suggest forgetting using @group in smb.conf and use ACL's
instead.
Rowland
on winbind in /etc/nsswitch.conf on my test S4 server, I get:
id user
uid=3001106(HOME\user) gid=20513(HOME\Domain Users)
groups=20513(HOME\Domain Users),21110(HOME\linuxusers)
getent group linuxusers
HOME\linuxusers:*:21110:
But when I turn sssd back on instead of winbind:
id user
uid=3001106(user) gid=20513(Domain Users) groups=20513(Domain
Users),21110(linuxusers)
getent group linuxusers
linuxusers:*:21110:user
Oh look, getent displays group users!
Also I would suggest forgetting using @group in smb.conf and use ACL's
instead.
Rowland
steve
Jun 21, 2013, 5:50:01 AM6/21/13
to
On Fri, 2013-06-21 at 08:36 +0000, Philippe...@swisscom.com wrote:
> Hi Steve
>
> <getent group TEST3\g1> give an empty result, and <getent group TEST3\\g1> with the same result as <getent group g1>, without user/group membership.
>
> in fact my problem goes further : shares access control (write list, ...) does not work for @g1, only with u1 ...
>
> Philippe
Oh dear. I know the feeling. You can wait for someone who knows winbind
> Hi Steve
>
> <getent group TEST3\g1> give an empty result, and <getent group TEST3\\g1> with the same result as <getent group g1>, without user/group membership.
>
> in fact my problem goes further : shares access control (write list, ...) does not work for @g1, only with u1 ...
>
> Philippe
to read and help or, if you want it to just work, use sssd or nslcd and
forget winbind. The latter you can do now. . .
steve
Jun 21, 2013, 6:00:03 AM6/21/13
to
On Fri, 2013-06-21 at 10:12 +0100, Rowland Penny wrote:
> Hi, well yet another reason to use sssd instead of winbind. When I
> turned on winbind in /etc/nsswitch.conf on my test S4 server,
>
>
>
> Hi, well yet another reason to use sssd instead of winbind. When I
> turned on winbind in /etc/nsswitch.conf on my test S4 server,
>
>
>
> Also I would suggest forgetting using @group in smb.conf and use ACL's
> instead.
Didn't see this, but absolutely. Use acl's. Have you ever tried
> instead.
referring to man smb.conf. Phew!
Ali Bendriss
Jun 21, 2013, 9:50:02 AM6/21/13
to
On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote:
> Hi, well yet another reason to use sssd instead of winbind.
> [...]
> Hi, well yet another reason to use sssd instead of winbind.
Hi,
An other option is to use samba AD in one server and the file server (smbd +
winbindd) in an other. Since I've done that (last year I think) I've got no
problem at all. At first you may think that it's to much resources (2 servers
or vm) but it's really flexible and easy to maintain.
--
Ali
steve
Jun 21, 2013, 11:10:02 AM6/21/13
to
On Fri, 2013-06-21 at 15:39 +0200, Ali Bendriss wrote:
> On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote:
> > Hi, well yet another reason to use sssd instead of winbind.
> > [...]
>
> Hi,
>
> An other option is to use samba AD in one server and the file server (smbd +
> winbindd) in an other. Since I've done that (last year I think) I've got no
> problem at all. At first you may think that it's to much resources (2 servers
> or vm) but it's really flexible and easy to maintain.
Hi,
> On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote:
> > Hi, well yet another reason to use sssd instead of winbind.
> > [...]
>
> Hi,
>
> An other option is to use samba AD in one server and the file server (smbd +
> winbindd) in an other. Since I've done that (last year I think) I've got no
> problem at all. At first you may think that it's to much resources (2 servers
> or vm) but it's really flexible and easy to maintain.
That's a good idea but we don't know what setup the OP has, we only know
that getent group doesn't work. In any case, if he wants to see getent
password work with the setup you suggest, he's going to have to
configure winbind in at least two distinct ways, once for the DC and
once for the file server. He will also have to edit smb.conf. Or maybe,
he could get away with not using getent at all on the DC?
Philippe...@swisscom.com
Jun 24, 2013, 2:10:02 AM6/24/13
to
Hi
that's my setting today (AD with 4.06 and files server with 3.6). Working great, but my goal is really to
get rid of that (just one machine).
thanks and regards
philippe
From: Ali Bendriss [mailto:ali.be...@gmail.com]
Sent: Friday, June 21, 2013 3:39 PM
To: sa...@lists.samba.org
Cc: Rowland Penny; Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE
Subject: Re: [Samba] samba4 missing group membership with getent group
that's my setting today (AD with 4.06 and files server with 3.6). Working great, but my goal is really to
get rid of that (just one machine).
thanks and regards
philippe
From: Ali Bendriss [mailto:ali.be...@gmail.com]
Sent: Friday, June 21, 2013 3:39 PM
To: sa...@lists.samba.org
Cc: Rowland Penny; Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE
Subject: Re: [Samba] samba4 missing group membership with getent group
Rowland Penny
Jun 24, 2013, 6:40:02 AM6/24/13
to
If you are using S4 as an ADDC then you are using the builtin winbind and
as far as I can see, this cannot provide group memberships via getent.
I could be wrong but I believe that all the builtin winbind pulls from AD
is the users name & users primary group. These are either via some
algorithm or via rfc2307 uidNumber & gidNumber that must be added manually.
As far as I can see, the only way to get getent on the S4 server to show
groupmembers is to use sssd
If you want to use the S4 server also as a fileserver, you must ensure that
the users have the same uidNumber everywhere. This means that you must use
rfc2307 attributes and use something to pull them, i.e the winbind ad
backend or sssd, the winbind rid backend will not do - it will never give
you the same uidNumber on the S3 clients as on the S4 AD server.
On 24 June 2013 07:05, <Philippe...@swisscom.com> wrote:
> Hi ****
>
> ** **
>
> get rid of that (just one machine).****
>
> thanks and regards****
>
> ** **
>
> philippe****
>
> ** **
>
> *From:* Ali Bendriss [mailto:ali.be...@gmail.com]
> *Sent:* Friday, June 21, 2013 3:39 PM
> *To:* sa...@lists.samba.org
> *Cc:* Rowland Penny; Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE
>
> *Subject:* Re: [Samba] samba4 missing group membership with getent group**
> **
>
> ** **
>
> On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote:****
>
> > Hi, well yet another reason to use sssd instead of winbind.****
>
> > [...]****
>
> ****
>
> Hi,****
>
> ****
>
> ****
>
> --****
>
> Ali****
>
> ****
>
> ****
>
> ****
as far as I can see, this cannot provide group memberships via getent.
I could be wrong but I believe that all the builtin winbind pulls from AD
is the users name & users primary group. These are either via some
algorithm or via rfc2307 uidNumber & gidNumber that must be added manually.
As far as I can see, the only way to get getent on the S4 server to show
groupmembers is to use sssd
If you want to use the S4 server also as a fileserver, you must ensure that
the users have the same uidNumber everywhere. This means that you must use
rfc2307 attributes and use something to pull them, i.e the winbind ad
backend or sssd, the winbind rid backend will not do - it will never give
you the same uidNumber on the S3 clients as on the S4 AD server.
On 24 June 2013 07:05, <Philippe...@swisscom.com> wrote:
> Hi ****
>
> ** **
>
> that’s my setting today (AD with 4.06 and files server with 3.6). Working
> great, but my goal is really to ****
> that’s my setting today (AD with 4.06 and files server with 3.6). Working
>
> get rid of that (just one machine).****
>
> thanks and regards****
>
> ** **
>
> philippe****
>
> ** **
>
> *From:* Ali Bendriss [mailto:ali.be...@gmail.com]
> *Sent:* Friday, June 21, 2013 3:39 PM
> *To:* sa...@lists.samba.org
> *Cc:* Rowland Penny; Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE
>
> *Subject:* Re: [Samba] samba4 missing group membership with getent group**
> **
>
> ** **
>
> On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote:****
>
> > Hi, well yet another reason to use sssd instead of winbind.****
>
> > [...]****
>
> ****
>
> Hi,****
>
> ****
>
> An other option is to use samba AD in one server and the file server (smbd
> + winbindd) in an other. Since I've done that (last year I think) I've got
> no problem at all. At first you may think that it's to much resources (2
> servers or vm) but it's really flexible and easy to maintain.****
> An other option is to use samba AD in one server and the file server (smbd
> + winbindd) in an other. Since I've done that (last year I think) I've got
> no problem at all. At first you may think that it's to much resources (2
>
> ****
>
> --****
>
> Ali****
>
> ****
>
> ****
>
> ****
Marc Muehlfeld
Jun 24, 2013, 12:30:03 PM6/24/13
to
Hello Rowland,
Am 24.06.2013 12:26, schrieb Rowland Penny:
> As far as I can see, the only way to get getent on the S4 server to show
> groupmembers is to use sssd
nslcd works great for that job here, too.
The nslcd.conf is almost the same like I wrote here:
http://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy
I'll publish the nslcd config for directly getting the data from AD, the
next days in the wiki, too.
Regards,
Marc
Am 24.06.2013 12:26, schrieb Rowland Penny:
> As far as I can see, the only way to get getent on the S4 server to show
> groupmembers is to use sssd
The nslcd.conf is almost the same like I wrote here:
http://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy
I'll publish the nslcd config for directly getting the data from AD, the
next days in the wiki, too.
Regards,
Marc
Rowland Penny
Jun 24, 2013, 1:50:01 PM6/24/13
to
Hi Marc, ok it looks like anything will work on an S4 server apart from
winbind ;-)
My working /etc/sssd/sssd.conf on the S4 server is:
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam
[nss]
[pam]
[domain/example.com]
description = AD domain with Samba 4 server
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
Thats it, no special user, no passwords, it just works, I haven't found any
problems yet, touch wood.
And when 1.10.0 gets released (it's in beta at the moment) it gets even
better:
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam
[nss]
[pam]
[domain/example.com]
description = AD domain with Samba 4 server
cache_credentials = true
enumerate = False
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
Rowland
On 24 June 2013 17:21, Marc Muehlfeld <sa...@marc-muehlfeld.de> wrote:
> Hello Rowland,
>
> Am 24.06.2013 12:26, schrieb Rowland Penny:
>
> As far as I can see, the only way to get getent on the S4 server to show
>> groupmembers is to use sssd
>>
>
> nslcd works great for that job here, too.
>
>
> The nslcd.conf is almost the same like I wrote here:
> http://wiki.samba.org/index.**php/Samba4/beyond#Nslcd:_User.**
> 2FGroups_from_AD_through_**openLDAP_proxy<http://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy>
winbind ;-)
My working /etc/sssd/sssd.conf on the S4 server is:
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam
[nss]
[pam]
[domain/example.com]
description = AD domain with Samba 4 server
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
Thats it, no special user, no passwords, it just works, I haven't found any
problems yet, touch wood.
And when 1.10.0 gets released (it's in beta at the moment) it gets even
better:
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam
[nss]
[pam]
[domain/example.com]
description = AD domain with Samba 4 server
cache_credentials = true
enumerate = False
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
Rowland
On 24 June 2013 17:21, Marc Muehlfeld <sa...@marc-muehlfeld.de> wrote:
> Hello Rowland,
>
> Am 24.06.2013 12:26, schrieb Rowland Penny:
>
> As far as I can see, the only way to get getent on the S4 server to show
>> groupmembers is to use sssd
>>
>
> nslcd works great for that job here, too.
>
>
> The nslcd.conf is almost the same like I wrote here:
> 2FGroups_from_AD_through_**openLDAP_proxy<http://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy>
Marc Muehlfeld
Jun 24, 2013, 4:40:02 PM6/24/13
to
Hello Rowland,
I haven't used sssd yet. But it's on my schedule for learning and Wiki
HowTo. Your config well be a good start for that.
Am 24.06.2013 19:47, schrieb Rowland Penny:
> ...
know that the retrieving of information are allowed?
I haven't used sssd yet. But it's on my schedule for learning and Wiki
HowTo. Your config well be a good start for that.
Am 24.06.2013 19:47, schrieb Rowland Penny:
> ...
>
> Thats it, no special user, no passwords, it just works, I haven't found any
> problems yet, touch wood.
How does it work? I mean, is there a keytab or anything? Or how does AD
> Thats it, no special user, no passwords, it just works, I haven't found any
> problems yet, touch wood.
know that the retrieving of information are allowed?
Rowland Penny
Jun 25, 2013, 5:20:01 AM6/25/13
to
Ah, it's magic, or to put it another way (not being a programmer) I do not
know how it works ;-)
You set up Samba as normal but without any references to winbind, then join
to the domain, sssd then uses the /etc/krb5.keytab created by the join and
away you go.
hope this helps
Rowland
know how it works ;-)
You set up Samba as normal but without any references to winbind, then join
to the domain, sssd then uses the /etc/krb5.keytab created by the join and
away you go.
hope this helps
Rowland
steve
Jun 25, 2013, 6:10:01 AM6/25/13
to
On Mon, 2013-06-24 at 18:21 +0200, Marc Muehlfeld wrote:
> Hello Rowland,
>
> Am 24.06.2013 12:26, schrieb Rowland Penny:
> > As far as I can see, the only way to get getent on the S4 server to show
> > groupmembers is to use sssd
>
> nslcd works great for that job here, too.
Hi
> Hello Rowland,
>
> Am 24.06.2013 12:26, schrieb Rowland Penny:
> > As far as I can see, the only way to get getent on the S4 server to show
> > groupmembers is to use sssd
>
> nslcd works great for that job here, too.
nslcd is simplicity itself but we couldn't get it going for nested
groups. Also it doesn't do dynamic dns updates, which sssd throws in for
free and unless you use nscd, it's slow.
Maybe your wiki could include the config for kerberised binds to the S4
ldap? This is all you need:
/etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://your.f.q.d.n
base dc=foo,dc=bar
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
sasl_mech GSSAPI
sasl_realm YOUR.REALM
krb5_ccname /tmp/nslcd.tkt
Hope you get a chance to have a play with sssd. It would be good to hear
other views on how it compares with winbind and nslcd.
Cheers,
Steve
0 new messages