Samba AD Groups appear empty on Unix

Question

Environment:

• fresh Debian 10 Samba 4.9.5-Debian as AD-DC, using internal LDAP, internal DNS, RFC2307 enabled, libnss-winbind enabled and configured, libpam-winbind enabled and configured
• fresh Debian 10 Samba 4.9.5-Debian as Fileserver, joined to the AD-Domain, RFC2307 enabled, libnss-winbind enabled and configured, libpam-winbind enabled and configured
• Windows 7 and Windows 10 Clients
• Various Linux Servers will join the AD-Domain
• Microsoft RSAT Tools installed on Windows 7 for Management

AD-Users and AD-Groups simply work on Windows, both have NIS User/Group IDs assigned.

getent passwd on the fileserver shows all AD-users. getent group on the fileserver shows all AD-groups, but all AD-groups appear empty on Linux. Windows RSAT tools show group members as expected.

Output is somegroup:x:23456:.

Expected output is somegroup:x:23456:joe.user,tim.trouble,n.o.clue.

It seems I'm missing a little detail that needs to be configured.

Answer 1

Solution was a missing parameter in smb.conf, shown in Linux nested groups with winbind

winbind expand groups defaults to 0 since Samba 4.2, has to be non-zero to list user members in getent group.

I've set winbind expand groups = 10 in smb.conf on the file server, that works for our little Samba-AD.

Answer 2

Have a look at winbind enum users + winbind enum groups. They default to no in smb.conf.

Quoting winbind enum users:

If the winbind enum users parameter is no, calls to the getpwent system call will not return any data.

and winbind enum groups:

If the winbind enum groups parameter is no, calls to the getgrent() system call will not return any data.

That said, you should not need to enable the settings. Users and groups can be enumerated via wbinfo -u and wbinfo -g.