Listing AD group members

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Listing AD group members

Samba - General mailing list
Hi,

Ive been trying to work out how to get wbinfo to list members of a specific
AD group, rather than list groups a specific user is in.

So far I have had no luck... In fact im not sure its possible with wbinfo.  
 Is there another tool which could do this?

James


--
Sent using Dekko from my Ubuntu device

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Mon, 30 Oct 2017 10:34:06 +0000
"A. James Lewis via samba" <[hidden email]> wrote:

> Hi,
>
> Ive been trying to work out how to get wbinfo to list members of a
> specific AD group, rather than list groups a specific user is in.
>
> So far I have had no luck... In fact im not sure its possible with
> wbinfo. Is there another tool which could do this?
>
> James
>
>

samba-tool group listmembers <groupname>

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
I did come up with that option from Google, but wondered if it was only suitable if Samba was the AD controller, since that was always the context it was used in.

This is the result I get.

root@hostname:~# samba-tool group listmembers groupname
ERROR(ldb): Failed to list members of "groupname" group  - ldb_search: invalid basedn '(null)'
root@hostname:~#

Samba 4.6.7,

smb.conf looks like this:-

[global]
   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.LOCAL

   idmap config *:backend = tdb
   idmap config *:range = 95000-99999
   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:range = 100000-999999

   winbind trusted domains only = no
   winbind use default domain = yes
   winbind refresh tickets = yes

   template shell = /bin/bash
   template homedir = /home/%D/%U

Should I be passing it a basedn either in the command, or in the config somewhere?

James




October 30, 2017 10:49 AM, "Rowland Penny via samba" <[hidden email]> wrote:

> On Mon, 30 Oct 2017 10:34:06 +0000
> "A. James Lewis via samba" <[hidden email]> wrote:
>
>> Hi,
>>
>> Ive been trying to work out how to get wbinfo to list members of a
>> specific AD group, rather than list groups a specific user is in.
>>
>> So far I have had no luck... In fact im not sure its possible with
>> wbinfo. Is there another tool which could do this?
>>
>> James
>
> samba-tool group listmembers <groupname>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis ([hidden email])
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Mon, 30 Oct 2017 12:07:24 +0000
"A. James Lewis" <[hidden email]> wrote:

> I did come up with that option from Google, but wondered if it was
> only suitable if Samba was the AD controller, since that was always
> the context it was used in.
>
> This is the result I get.
>
> root@hostname:~# samba-tool group listmembers groupname
> ERROR(ldb): Failed to list members of "groupname" group  -
> ldb_search: invalid basedn '(null)' root@hostname:~#

Try something like this:

root@devstation:~# samba-tool group listmembers Unix\ Admins -H ldap://dc3 -d0
rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
It appears to hang for a very long time (up to 15 minutes) on "kinit for HOSTNAME$@DOMAIN.LOCAL succeeded"
then it returns nothing.

I'm somewhat confused!

James


October 30, 2017 12:27 PM, "Rowland Penny via samba" <[hidden email]> wrote:

> On Mon, 30 Oct 2017 12:07:24 +0000
> "A. James Lewis" <[hidden email]> wrote:
>
>> I did come up with that option from Google, but wondered if it was
>> only suitable if Samba was the AD controller, since that was always
>> the context it was used in.
>>
>> This is the result I get.
>>
>> root@hostname:~# samba-tool group listmembers groupname
>> ERROR(ldb): Failed to list members of "groupname" group -
>> ldb_search: invalid basedn '(null)' root@hostname:~#
>
> Try something like this:
>
> root@devstation:~# samba-tool group listmembers Unix\ Admins -H ldap://dc3 -d0
> rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis ([hidden email])
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Mon, 30 Oct 2017 14:04:11 +0000
"A. James Lewis" <[hidden email]> wrote:

> It appears to hang for a very long time (up to 15 minutes) on "kinit
> for HOSTNAME$@DOMAIN.LOCAL succeeded" then it returns nothing.
>
> I'm somewhat confused!
>

So am I ;-)

root@devstation:~# time samba-tool group listmembers Unix\ Admins -H ldap://dc3 -d0
rowland

real 0m0.546s
user 0m0.076s
sys 0m0.016s

Can you post your smb.conf, /etc/hosts, /etc/resolv.conf
and /etc/krb5.conf

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
In reply to this post by Samba - General mailing list
Oh, I assumed you meant -d10, since -d0 turns off all debug output, so the output is long, but I get:-

.
.
.
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Received smb_krb5 packet of length 234
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Received smb_krb5 packet of length 108
kinit for HOSTNAME$@DOMAIN.LOCAL succeeded
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
$


October 30, 2017 2:10 PM, "A. James Lewis via samba" <[hidden email]> wrote:

> It appears to hang for a very long time (up to 15 minutes) on "kinit for HOSTNAME$@DOMAIN.LOCAL
> succeeded"
> then it returns nothing.
>
> I'm somewhat confused!
>
> James
>
> October 30, 2017 12:27 PM, "Rowland Penny via samba" <[hidden email]> wrote:
>
>> On Mon, 30 Oct 2017 12:07:24 +0000
>> "A. James Lewis" <[hidden email]> wrote:
>>
>>> I did come up with that option from Google, but wondered if it was
>>> only suitable if Samba was the AD controller, since that was always
>>> the context it was used in.
>>>
>>> This is the result I get.
>>>
>>> root@hostname:~# samba-tool group listmembers groupname
>>> ERROR(ldb): Failed to list members of "groupname" group -
>>> ldb_search: invalid basedn '(null)' root@hostname:~#
>>
>> Try something like this:
>>
>> root@devstation:~# samba-tool group listmembers Unix\ Admins -H ldap://dc3 -d0
>> rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> A. James Lewis ([hidden email])
> "Engineering does not require science. Science helps a lot but people
> built perfectly good brick walls long before they knew why cement works."
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis ([hidden email])
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Mon, 30 Oct 2017 14:16:16 +0000
"A. James Lewis" <[hidden email]> wrote:

> Oh, I assumed you meant -d10, since -d0 turns off all debug output,
> so the output is long, but I get:-

Sorry, but no, I added that because I had 'log level = 10' in smb.conf.
Please post the info I asked for.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
I must admit I assumed that it was completely hung which is why I looked at your command line to see if there was a typo etc... but here's the output you asked for:-

root@hostname:~# time samba-tool group listmembers testgroup -H ldap://adserver -d0
FUNC-UNIX

real 11m33.761s    <------ LONG TIME!
user 0m0.327s
sys 0m0.021s

I guess they have some nested groups set up... it does appear to be returning something, but obviously not at list of users.


However, for example:-

root@hostname:~# time wbinfo -g jlewis | grep testgroup
testgroup

real 0m0.134s
user 0m0.019s
sys 0m0.005s

I don't have any issue logging on, or using the host...

James


October 30, 2017 2:32 PM, "Rowland Penny via samba" <[hidden email]> wrote:

> On Mon, 30 Oct 2017 14:16:16 +0000
> "A. James Lewis" <[hidden email]> wrote:
>
>> Oh, I assumed you meant -d10, since -d0 turns off all debug output,
>> so the output is long, but I get:-
>
> Sorry, but no, I added that because I had 'log level = 10' in smb.conf.
> Please post the info I asked for.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis ([hidden email])
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Mon, 30 Oct 2017 15:51:28 +0000
"A. James Lewis" <[hidden email]> wrote:

> I must admit I assumed that it was completely hung which is why I
> looked at your command line to see if there was a typo etc... but
> here's the output you asked for:-
>
> root@hostname:~# time samba-tool group listmembers testgroup -H
> ldap://adserver -d0 FUNC-UNIX
>
> real 11m33.761s    <------ LONG TIME!
> user 0m0.327s
> sys 0m0.021s
>
> I guess they have some nested groups set up... it does appear to be
> returning something, but obviously not at list of users.
>
>
> However, for example:-
>
> root@hostname:~# time wbinfo -g jlewis | grep testgroup
> testgroup
>
> real 0m0.134s
> user 0m0.019s
> sys 0m0.005s
>
> I don't have any issue logging on, or using the host...
>

Will you please post the info I asked you to post, plus I think you
better tell us what OS you are using.

Whilst nested groups might slow things down, it shouldn't slow things
down to the extent you are seeing.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
Oh, apologies, I thought you were referring to the fact that I had changed your -d0 to -d10 since I was getting no output for 10 minutes... :)

smb.conf
[global]
   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.LOCAL

   idmap config *:backend = tdb
   idmap config *:range = 95000-99999
   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:range = 100000-999999
   
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind refresh tickets = yes

   template shell = /bin/bash
   template homedir = /home/%D/%U

/etc/resolv.conf
search domain.local
nameserver 10.x.x.20
nameserver 10.x.x.21
nameserver 10.x.x.11
nameserver 10.x.y.10
nameserver 10.x.y.20
nameserver 10.y.x.90
nameserver 10.y.x.21
nameserver 10.y.x.90

/etc/hosts
127.0.0.1 localhost proxy1 proxy2 printer
127.0.1.1 hostname.dev.domain.local hostname

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true


It's running on Ubuntu 17.10.

James


October 30, 2017 4:20 PM, "Rowland Penny via samba" <[hidden email]> wrote:

> On Mon, 30 Oct 2017 15:51:28 +0000
> "A. James Lewis" <[hidden email]> wrote:
>
>> I must admit I assumed that it was completely hung which is why I
>> looked at your command line to see if there was a typo etc... but
>> here's the output you asked for:-
>>
>> root@hostname:~# time samba-tool group listmembers testgroup -H
>> ldap://adserver -d0 FUNC-UNIX
>>
>> real 11m33.761s <------ LONG TIME!
>> user 0m0.327s
>> sys 0m0.021s
>>
>> I guess they have some nested groups set up... it does appear to be
>> returning something, but obviously not at list of users.
>>
>> However, for example:-
>>
>> root@hostname:~# time wbinfo -g jlewis | grep testgroup
>> testgroup
>>
>> real 0m0.134s
>> user 0m0.019s
>> sys 0m0.005s
>>
>> I don't have any issue logging on, or using the host...
>
> Will you please post the info I asked you to post, plus I think you
> better tell us what OS you are using.
>
> Whilst nested groups might slow things down, it shouldn't slow things
> down to the extent you are seeing.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis ([hidden email])
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Mon, 30 Oct 2017 17:32:17 +0000
"A. James Lewis" <[hidden email]> wrote:

> Oh, apologies, I thought you were referring to the fact that I had
> changed your -d0 to -d10 since I was getting no output for 10
> minutes... :)
>
> smb.conf
> [global]
>    workgroup = DOMAIN
>    security = ADS
>    realm = DOMAIN.LOCAL
>
>    idmap config *:backend = tdb
>    idmap config *:range = 95000-99999
>    idmap config DOMAIN:backend = rid
>    idmap config DOMAIN:range = 100000-999999
>    
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind refresh tickets = yes
>
>    template shell = /bin/bash
>    template homedir = /home/%D/%U
>
> /etc/resolv.conf
> search domain.local
> nameserver 10.x.x.20
> nameserver 10.x.x.21
> nameserver 10.x.x.11
> nameserver 10.x.y.10
> nameserver 10.x.y.20
> nameserver 10.y.x.90
> nameserver 10.y.x.21
> nameserver 10.y.x.90

Are all of the above DCs ?
If not remove any that aren't

>
> /etc/hosts
> 127.0.0.1 localhost proxy1 proxy2 printer
> 127.0.1.1 hostname.dev.domain.local hostname

Aha, your Unix domain members IP isn't 127.0.1.1, so either change
'127.0.1.1' to its ipaddress, if it has a fixed IP, or remove the line
if it is getting its IP via DHCP.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Mon, Oct 30, 2017 at 2:03 PM, Rowland Penny via samba
<[hidden email]> wrote:

>>
>> /etc/hosts
>> 127.0.0.1     localhost proxy1 proxy2 printer
>> 127.0.1.1     hostname.dev.domain.local hostname
>
> Aha, your Unix domain members IP isn't 127.0.1.1, so either change
> '127.0.1.1' to its ipaddress, if it has a fixed IP, or remove the line
> if it is getting its IP via DHCP.
>
> Rowland

That little trick is used so that contacts to the loopback, at
127.0.0.0/8, can be set to a distinct IP address and ensure the trafic
is recorded separately, even though coming in on the loopback address.
It can be very handy for segregating SSH and webshost traffic
separately from localhost traffic.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Sun, 5 Nov 2017 14:00:13 -0500
Nico Kadel-Garcia <[hidden email]> wrote:

> On Mon, Oct 30, 2017 at 2:03 PM, Rowland Penny via samba
> <[hidden email]> wrote:
>
> >>
> >> /etc/hosts
> >> 127.0.0.1     localhost proxy1 proxy2 printer
> >> 127.0.1.1     hostname.dev.domain.local hostname
> >
> > Aha, your Unix domain members IP isn't 127.0.1.1, so either change
> > '127.0.1.1' to its ipaddress, if it has a fixed IP, or remove the
> > line if it is getting its IP via DHCP.
> >
> > Rowland
>
> That little trick is used so that contacts to the loopback, at
> 127.0.0.0/8, can be set to a distinct IP address and ensure the trafic
> is recorded separately, even though coming in on the loopback address.
> It can be very handy for segregating SSH and webshost traffic
> separately from localhost traffic.

Perhaps you are correct, but it also, from my experience, breaks
Samba ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list

Suffice to say, changing it didn't fix the issue..... the problem I have
is that the Windows team who run the domain won't help with anything,
and tend to lock things down without telling anyone... so I figured it
would be easy to simply re-design my scripts to use a local lookup table
rather than refer to AD.

Thanks for your help tho,

James



On 05/11/17 19:25, Rowland Penny via samba wrote:

> On Sun, 5 Nov 2017 14:00:13 -0500
> Nico Kadel-Garcia <[hidden email]> wrote:
>
>> On Mon, Oct 30, 2017 at 2:03 PM, Rowland Penny via samba
>> <[hidden email]> wrote:
>>
>>>> /etc/hosts
>>>> 127.0.0.1     localhost proxy1 proxy2 printer
>>>> 127.0.1.1     hostname.dev.domain.local hostname
>>> Aha, your Unix domain members IP isn't 127.0.1.1, so either change
>>> '127.0.1.1' to its ipaddress, if it has a fixed IP, or remove the
>>> line if it is getting its IP via DHCP.
>>>
>>> Rowland
>> That little trick is used so that contacts to the loopback, at
>> 127.0.0.0/8, can be set to a distinct IP address and ensure the trafic
>> is recorded separately, even though coming in on the loopback address.
>> It can be very handy for segregating SSH and webshost traffic
>> separately from localhost traffic.
> Perhaps you are correct, but it also, from my experience, breaks
> Samba ;-)
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Listing AD group members

Samba - General mailing list
On Sun, 5 Nov 2017 19:38:58 +0000
"A. James Lewis via samba" <[hidden email]> wrote:

>
> Suffice to say, changing it didn't fix the issue..... the problem I
> have is that the Windows team who run the domain won't help with
> anything, and tend to lock things down without telling anyone... so I
> figured it would be easy to simply re-design my scripts to use a
> local lookup table rather than refer to AD.
>
> Thanks for your help tho,
>
> James

If that is the case, if you can't join them, beat them, set up your own
Samba AD domain ;-)

You learn AD and by the sound of it, you already know Linux, this makes
you more valuable than somebody who just knows AD.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba