HPE Community
Operating System - HP-UX
1832100 Members
3175 Online
110038 Solutions
New Discussion

SAMBA: How to Get a list of members of a particular Windows Group

 
Alzhy
Honored Contributor

‎12-12-2005 06:39 AM

‎12-12-2005 06:39 AM

SAMBA: How to Get a list of members of a particular Windows Group

Running Security = Domain.
Not running WinBind.

How do I get usernames belonging to a Windows Domain Group on UNIX?

If not, how is it done on Windows if one does not have Domain Admin privileges (not running Admin tools)?

Thanks!

Hakuna Matata.
0 Kudos
Reply
3 REPLIES 3
Geoff Wild
Honored Contributor

‎12-12-2005 07:26 AM

‎12-12-2005 07:26 AM

Re: SAMBA: How to Get a list of members of a particular Windows Group

You need winbind....

Then use the wbinfo command

wbinfo -g


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
eric roseme
Respected Contributor

‎12-12-2005 11:12 AM

‎12-12-2005 11:12 AM

Re: SAMBA: How to Get a list of members of a particular Windows Group

Hi Nelson,

I looked at your earlier message this month and it appears that you were at least considering running with "security = ads". I recommend doing that and running winbind, then all of your mapping issues as well as group enumeration issues will be solved. However, if you do not have administrator (user/password) access to the Windows DC, then you'll need to read my whitepaper on how to join the domain with minimum permissions.
http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf

Also, you'll need to configure wbinfo to read the DC directory with a specific user that has permissions to do so:
"wbinfo --set-auth-user=". In the latest CIFS Server (A.02.02 - Samba 3.0.14a) we have an enhanced wbinfo that displays the users and groups UIDs and GIDs along with the names - this is very useful for hp-ux. Also, you can use wbinfo with -l and -L to list the fully qulaified Windows user/group names on the POSIX ACL. That helps the readability a little.

If you do not want to deal with winbind, there is a "net rap groupmember", but I have never investigated it (no one has ever asked about it). I was looking at "net rpc group" too - do a "man net". Again - everyone I work with is using ADS. I'll have to set a server up with "security = domain" to try RAP/RPC out and see what happens. Let me know if that would help.

Eric Roseme
Hewlett-Packard
0 Kudos
Reply
Alzhy
Honored Contributor

‎12-13-2005 01:03 AM

‎12-13-2005 01:03 AM

Re: SAMBA: How to Get a list of members of a particular Windows Group

I was planning on running Winbind and/or ADS but it seems there's more complexity in there and I am not sure I can get the cooperation of the Windows amigos.

My aim is to lock down writable shares to a particular Windows group. The users in that group do not have UNIX accounts so I was planning to instead employ a username map - and automating its maintenance.

I was hoping there could be a tool on UNIX that without running Winbind I can pull members of a Windows group - but it seems there is none. I tried net rpc / net rac but it does not seem to work or possibly I have not cracked the right syntax yet.

So the work around that I employed is to simply use a Windows machine via a WinReskit tool I found -- ShowMembers.exe. I have an automated process that periodically transfers group memberships to my SAMBA machine and there I have another process that updates the username.map.

All is working well.

I still am hopeful though I can have a tool on UNIX to list Windows group memberships so the entire process in on UNIX.

Hakuna Matata.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.