Q&A: Why can't I use nested group search with a Primary Group like "Domain Users" in Samba?

Daniel_Duchon · July 20, 2021, 10:43am

Question

Why can’t I use nested group search with a Primary Group like “Domain Users” in Samba?

Answer

This is because Active Directory is saving the Primary Group of a user in users primaryGroupID-Attribute which only holds the RID of the group:

root@example:~# univention-s4search samaccountname=mmusterfrau primaryGroupID memberOf
# record 1
dn: CN=mmusterfrau,CN=Users,DC=example,DC=net
primaryGroupID: 513
memberOf: CN=Users,CN=Builtin,DC=example,DC=net

root@example:~# univention-ldapsearch -LLL memberUID=mmusterfrau dn
dn: cn=Domain Users,cn=groups,dc=example,dc=net
dn: cn=Users,cn=Builtin,dc=example,dc=net

To use nested groups, you may create a new group, add every user in it and use this as search base. You can also create a user-template[1] so every newly created user will be put into this group.

[1]https://docs.software-univention.de/manual-4.4.html#users:templates

Daniel_Duchon · July 20, 2021, 10:43am