Author Topic: [SOLVED] Zentyal 5.1 - getent group shows no users  (Read 111 times)

nickpiggott

  • Zen Apprentice
  • *
  • Posts: 18
  • Karma: +5/-0
    • View Profile
[SOLVED] Zentyal 5.1 - getent group shows no users
« on: March 29, 2020, 06:32:47 pm »
I'm running Zentyal 5.1 with Samba 4.6.7 on Ubuntu 16.04.6 LTS

I have users and groups populated in Active Directory. I can use the Zentyal GUI to add a user to the "Domain Admins" group.

However querying the Domain Admin groups shows it as being empty:
Code: [Select]
> getent group
DOMAIN\domain admins:x:2512:
> wbinfo --group-info="Domain Admins"
DOMAIN\domain admins:x:2512:


Using samba-tool provides the correct answer:
Code: [Select]
> sudo samba-tool group listmembers "Domain Admins"
ldb_wrap open of secrets.ldb
nickpiggott
Administrator
zentyal-mail-dc2

My uid is 1000 (a legacy ID). The administrator uid is 2500. The zental-mail-dc2 uid is 3000031.

My smb.conf is autogenerated by Zentyal. There are no apparent errors in /var/log/samba/samba.log. I'm using only winbind (sssd is not installed on this box).

What can I do to correct this? It's stopping important functionality (like adding "Domain Admins" to the sudoers file) from working.
« Last Edit: March 31, 2020, 02:21:41 pm by nickpiggott »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 361
  • Karma: +91/-1
    • View Profile
Re: Zentyal 5.1 - getent group shows no users
« Reply #1 on: March 30, 2020, 11:25:43 am »
 :)

It isn't a Zentyal issue.

Introduce the " winbind expand groups = 1 " in your smb.conf:

Code: [Select]
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/

Add the " winbind expand groups = 1 " option in the Global section of /etc/zentyal/stubs/samba/smb.conf.mas:

Code: [Select]
[global]
    workgroup = <% $workgroup %>
    realm = <% $realm %>
    netbios name = <% $netbiosName %>
    server string = <% $description %>
    server role = <% $mode %>
    server role check:inhibit = yes
    server services = -dns
    server signing = auto
    dsdb:schema update allowed = yes
    ldap server require strong auth = no
    drs:max object sync = 1200

    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes
    winbind expand groups = 1
    ...

Restart samba:

Code: [Select]
sudo zs samba restart

Use the winbind command:

Code: [Select]
root@zentyal5:~# wbinfo --group-info="LAB5\domain admins"
LAB5\domain admins:x:2512:LAB5\administrator,LAB5\zentyal-mail-zentyal5,LAB5\admindc

Read about it in man smb.conf

Cheers!

"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

nickpiggott

  • Zen Apprentice
  • *
  • Posts: 18
  • Karma: +5/-0
    • View Profile
Re: Zentyal 5.1 - getent group shows no users
« Reply #2 on: March 31, 2020, 02:21:25 pm »
That fixed the problem, thank you.

On my Backup Domain Control (BDC) - also running Zentyal 5.1, I additionally had to run

Code: [Select]
sudo net cache flush
sudo smbcontrol winbind reload-config

to get the users within the group to be visible.