Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: nickpiggott on March 29, 2020, 06:32:47 pm
-
I'm running Zentyal 5.1 with Samba 4.6.7 on Ubuntu 16.04.6 LTS
I have users and groups populated in Active Directory. I can use the Zentyal GUI to add a user to the "Domain Admins" group.
However querying the Domain Admin groups shows it as being empty:
> getent group
DOMAIN\domain admins:x:2512:
> wbinfo --group-info="Domain Admins"
DOMAIN\domain admins:x:2512:
Using samba-tool provides the correct answer:
> sudo samba-tool group listmembers "Domain Admins"
ldb_wrap open of secrets.ldb
nickpiggott
Administrator
zentyal-mail-dc2
My uid is 1000 (a legacy ID). The administrator uid is 2500. The zental-mail-dc2 uid is 3000031.
My smb.conf is autogenerated by Zentyal. There are no apparent errors in /var/log/samba/samba.log. I'm using only winbind (sssd is not installed on this box).
What can I do to correct this? It's stopping important functionality (like adding "Domain Admins" to the sudoers file) from working.
-
:)
It isn't a Zentyal issue.
Introduce the " winbind expand groups = 1 " in your smb.conf:
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/
Add the " winbind expand groups = 1 " option in the Global section of /etc/zentyal/stubs/samba/smb.conf.mas:
[global]
workgroup = <% $workgroup %>
realm = <% $realm %>
netbios name = <% $netbiosName %>
server string = <% $description %>
server role = <% $mode %>
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 1
...
Restart samba:
sudo zs samba restart
Use the winbind command:
root@zentyal5:~# wbinfo --group-info="LAB5\domain admins"
LAB5\domain admins:x:2512:LAB5\administrator,LAB5\zentyal-mail-zentyal5,LAB5\admindc
Read about it in man smb.conf
Cheers!
-
That fixed the problem, thank you.
On my Backup Domain Control (BDC) - also running Zentyal 5.1, I additionally had to run
sudo net cache flush
sudo smbcontrol winbind reload-config
to get the users within the group to be visible.