Samba AD Groups appear empty on Unix

debian active-directory samba4

Environment:

  • fresh Debian 10 Samba 4.9.5-Debian as AD-DC, using internal LDAP, internal DNS, RFC2307 enabled, libnss-winbind enabled and configured, libpam-winbind enabled and configured
  • fresh Debian 10 Samba 4.9.5-Debian as Fileserver, joined to the AD-Domain, RFC2307 enabled, libnss-winbind enabled and configured, libpam-winbind enabled and configured
  • Windows 7 and Windows 10 Clients
  • Various Linux Servers will join the AD-Domain
  • Microsoft RSAT Tools installed on Windows 7 for Management

AD-Users and AD-Groups simply work on Windows, both have NIS User/Group IDs assigned.

getent passwd on the fileserver shows all AD-users. getent group on the fileserver shows all AD-groups, but all AD-groups appear empty on Linux. Windows RSAT tools show group members as expected.

Output is somegroup:x:23456:.

Expected output is somegroup:x:23456:joe.user,tim.trouble,n.o.clue.

It seems I'm missing a little detail that needs to be configured.


Solution 1:

Solution was a missing parameter in smb.conf, shown in Linux nested groups with winbind

winbind expand groups defaults to 0 since Samba 4.2, has to be non-zero to list user members in getent group.

I've set winbind expand groups = 10 in smb.conf on the file server, that works for our little Samba-AD.

Related

Applying k8s network policies in Amazon EKS
Windows Open SSH Server cannot support more than 50 concurrent ssh sessions
Resolve DNS for a docker container with dnsmasq
Docker-compose IP address for Database
How to redirect index.html to the same name with capital letter by nginx
very fast file syncing software [closed]
chown won't change ownership
pop_back() return value?
Flask jsonify a list of objects
Why doesn't Mutex get released when disposed?
How to: Create trigger for auto update modified date with SQL Server 2008
Textbox hidden below keyboard in Android webview