Winbind no longer shows group members when using 'getent group <groupname>' in RHEL 7 and above.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Winbind

Issue

  • Winbind no longer shows group members when using 'getent group ' in RHEL systems.
  • How should Winbind be configured in order to return group membership information with 'getent group'?
  • After updating to RHEL 7 from RHEL 6, Winbind no longer shows members of a group with 'getent group' lookups.

Resolution

  1. Add the following into /etc/samba/smb.conf file under [global] section.:

    winbind expand groups = 1

  2. Restart the winbind service:

    # systemctl stop smb winbind; rm -f /var/lib/samba/*.tdb ; net cache flush ; systemctl start smb winbind

  3. In case it still not working, consider this possibility:
    Samba in RHEL-8.7 with Winbind can not retrieve user groups from Active Directory

  4. Another point to check is the idmap, we would recommend set as below:

    idmap config DOMAIN : backend = autorid

  5. Check if samba is using default domain, set to no in order to get results from all domains:

    winbind use default domain = yes

  6. Restart Samba/Winbind and clear its cache:

    systemctl stop smb winbind; rm -f /var/lib/samba/*.tdb ; net cache flush ; systemctl start smb winbind

  7. Retest with:

    getent group DOMAIN\\Group-from-AD

  8. Others points to see:

Root Cause

  • The winbindd service in Samba version 4.2.0 and later no longer lists group memberships for display purposes. In some situations, such as in environments with trusted domains, it was not always possible to provide this information reliably. To prevent the risk of providing inaccurate information, the default winbindd configuration has been changed to winbind expand groups = 0, which disables the previous behavior.
  • Note that some commands, such as the getent group command, previously relied on this functionality and might not behave as before.

For more information, review the AUTHENTICATION AND INTEROPERABILITY section of Chapter 3 within the RHEL 7.2 release notes

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments