Hi... Out of sudden our samba file servers are no longer honoring secondary group membership. I appears that the fileservers are no longer seeing groups. When I do a 'net -U <domUser> rpc group list' on the PDC everything is fine. I can see all groups. When I do this on the fileservers I do not receive anything. We operate samba 4.3.9 both as classic PDC (for a couple of reason we cannot switch to AD) and as fileserver (domain members). Upgraded them today due to the problems from 4.3.x to 4.3.9. All machines are running solely smbd/nmbd no winbind. Today morning the fileservers which are joined domain members (security=DOMAIN) are denying write access to folders for users which are members of secondary groups. Writing with primary membership is working. It is NOT a linux problem. When working directly on linux (directly on the machine or via NFS) all is ok. Operating on shares served by a domaincontroller (added some for testing) secondary groups are working. Any ideas what could be wrong and how to fix it? Thanks in advance, Roland
On Mon, May 02, 2016 at 01:01:07PM +0200, Roland Schwingel wrote:> Hi... > > Out of sudden our samba file servers are no longer honoring > secondary group membership. > > I appears that the fileservers are no longer seeing groups. > When I do a 'net -U <domUser> rpc group list' on the PDC everything > is fine. I can see all groups. When I do this on the fileservers I > do not > receive anything. > > We operate samba 4.3.9 both as classic PDC (for a couple of reason > we cannot switch to AD) and as fileserver (domain members). Upgraded > them > today due to the problems from 4.3.x to 4.3.9. All machines are > running solely smbd/nmbd no winbind. > > Today morning the fileservers which are joined domain members > (security=DOMAIN) are denying write access to folders for users > which > are members of secondary groups. Writing with primary membership is > working. It is NOT a linux problem. When working directly on linux > (directly on the machine or via NFS) all is ok. > > Operating on shares served by a domaincontroller (added some for > testing) secondary groups are working. > > Any ideas what could be wrong and how to fix it?Debug level 10 logs showing the details inside the auth are needed. Contrast with logs from an earlier version that worked.
Apparently Analagous Threads
- Big problems with samba 4.17.7 with classic domain (NT4) and LDAP
- Big problems with samba 4.17.7 with classic domain (NT4) and LDAP
- Big problems with samba 4.17.7 with classic domain (NT4) and LDAP
- Windows 8 Pro no domain logon possible
- How do I tell winbind to always send kerberos pre-auth to Active Directory DC