The Samba-Bugzilla – Bug 2212
Winbind to ADS : PrimaryGroups not shown with getent group
Last modified: 2012-03-12 12:52:38 UTC
I have samba 3.0.10 connected with winbind an kerberos to an W2K Domain. With
getent passwd i can see all the users, with getent group all groups but there
are not all the members in every group.
I findout that for every user the primary group is not solved in the getent
This is the WRONG output from getent:
[root@komm1-neu root]# getent group|grep Benutzer
The following output is TRUE:
[root@komm1-neu root]# id eichel;id will;id kohl;id schroeder;id schaefer
uid=10003(eichel) gid=10012(Buha) groups=10012(Buha),10006(Domänen-Benutzer)
uid=10005(will) gid=10011(GL) groups=10011(GL),10006(Domänen-Benutzer)
uid=10006(kohl) gid=10006(Domänen-Benutzer) groups=10006(Domänen-Benutzer)
uid=10007(schroeder) gid=10006(Domänen-Benutzer) groups=10006(Domänen-Benutzer)
uid=10000(schaefer) gid=10006(Domänen-Benutzer) groups=10006(Domänen-
...as you see here: eichel and will uses other prim-groups then the other
users. But thoese both users where not shown in there own prim-groups:
[root@komm1-neu root]# getent group|grep GL;getent group|grep Buha
If i use cat /prog/<PID>/status or wbinfo --user-groups=XXXX i get the normal
BUT: the wrong groupmapping in getent means that i cannot assign the right in
the filesystem !
I could be remembering this incorrectly, but I thought that primary group was
left out of getent group as an optimization. If you do getent passwd, you will
see that each user has the proper entry for the primary group. If you don't see
the primary group in the proper place of getent passwd than this is a bug, but
if you see all of the groups in id and they work for purposes of access, it's
probably as intended.
(In reply to comment #1)
> If you do getent passwd, you will see that each user has the proper entry for
>the primary group.
Yes, thats true, i see the proper primaryGroupId with getent passwd.
But, if i cannot see all the users belongs to one group (for ex. Domain Users),
i believe, i cannot set the rights to that group in my smb.conf !?
I will try it out an will give an feedback here.
>primary group was left out of getent group as an optimization ...
I can't believe that, this is only one more entry per user - but if this is
true: is there another way to findout wich users belongs to an specific group
on the samba-server ?
Is this still an issue in 3.0.11 ? Pleas retest and let me know.
Ther optimization Marc was talking about was to prevent haveing
to do a query_user for every intry return the ldap search of AD.
But I looked the other day and couldn't find that code.
So it might be fixed now.
closing awaiting feedback on whwther the bug in fixed in 3.0.11 or not.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
I'm still experiencing the same in version 3.6.3