Environment:
- fresh Debian 10 Samba 4.9.5-Debian as AD-DC, using internal LDAP, internal DNS, RFC2307 enabled, libnss-winbind enabled and configured, libpam-winbind enabled and configured
- fresh Debian 10 Samba 4.9.5-Debian as Fileserver, joined to the AD-Domain, RFC2307 enabled, libnss-winbind enabled and configured, libpam-winbind enabled and configured
- Windows 7 and Windows 10 Clients
- Various Linux Servers will join the AD-Domain
- Microsoft RSAT Tools installed on Windows 7 for Management
AD-Users and AD-Groups simply work on Windows, both have NIS User/Group IDs assigned.
getent passwd
on the fileserver shows all AD-users. getent group
on the fileserver shows all AD-groups, but all AD-groups appear empty on Linux. Windows RSAT tools show group members as expected.
Output is somegroup:x:23456:
.
Expected output is somegroup:x:23456:joe.user,tim.trouble,n.o.clue
.
It seems I'm missing a little detail that needs to be configured.
Solution was a missing parameter in smb.conf, shown in Linux nested groups with winbind
winbind expand groups
defaults to 0 since Samba 4.2, has to be non-zero to list user members ingetent group
.I've set
winbind expand groups = 10
in smb.conf on the file server, that works for our little Samba-AD.Have a look at winbind enum users + winbind enum groups. They default to
no
in smb.conf.Quoting
winbind enum users
:and
winbind enum groups
:That said, you should not need to enable the settings. Users and groups can be enumerated via
wbinfo -u
andwbinfo -g
.