samba - Nov 2018 - Odd behavior on group membership

Hi,

I have a samba 4.7 AD DC running on a Ubuntu 18.04 server with distro 
packages. I update a user with a new group and this new membership is 
not reflected on that user. On example below, I can successfully add the 
user "test.account" to group "test", but not my user
"marcio.merlone":

root at araucaria:~# id test.account
uid=30214(A1\test.account) gid=100(users) 
groups=100(users),3000008(BUILTIN\users)
root at araucaria:~# samba-tool group addmembers test test.account
Added members to group test
root at araucaria:~# id test.account
uid=30214(A1\test.account) gid=100(users) 
groups=100(users),3000203(A1\test),3000008(BUILTIN\users)

User test.account was added successfully to group test. Although:

root at araucaria:~# samba-tool group addmembers test marcio.merlone
Added members to group test
root at araucaria:~# id marcio.merlone
uid=1014(A1\marcio.merlone) gid=100(users) 
groups=100(users),512(A1\domain 
admins),3000008(BUILTIN\users),10012(BUILTIN\administrators)
root at araucaria:~#

Group "test" does not show up. Also tried changing groups using ADUC
and
LDAP Account Manager, no diff.

Those tests where made on DC for debugging purposes, but I need this 
membership change reflected on a member server running squid proxy. 
Tracked down to DC not working as expected also. Same happens when 
removing a group membership.

Already tried net cache flush, winbind + smbd + nmbd restart, removing 
tdb files from /var/lib, no luck.

Any thoughts?

-- 
*Marcio Merlone*

On Tue, 27 Nov 2018 16:39:41 -0200
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
> Hi,
> 
> I have a samba 4.7 AD DC running on a Ubuntu 18.04 server with distro 
> packages. I update a user with a new group and this new membership is 
> not reflected on that user. On example below, I can successfully add
> the user "test.account" to group "test", but not my
user
> "marcio.merlone":
> 
> root at araucaria:~# id test.account
> uid=30214(A1\test.account) gid=100(users) 
> groups=100(users),3000008(BUILTIN\users)
> root at araucaria:~# samba-tool group addmembers test test.account
> Added members to group test
> root at araucaria:~# id test.account
> uid=30214(A1\test.account) gid=100(users) 
> groups=100(users),3000203(A1\test),3000008(BUILTIN\users)
> 
> User test.account was added successfully to group test. Although:
> 
> root at araucaria:~# samba-tool group addmembers test marcio.merlone
> Added members to group test
> root at araucaria:~# id marcio.merlone
> uid=1014(A1\marcio.merlone) gid=100(users) 
> groups=100(users),512(A1\domain 
> admins),3000008(BUILTIN\users),10012(BUILTIN\administrators)
> root at araucaria:~#
> 
> Group "test" does not show up. Also tried changing groups using
ADUC
> and LDAP Account Manager, no diff.
> 
> Those tests where made on DC for debugging purposes, but I need this 
> membership change reflected on a member server running squid proxy. 
> Tracked down to DC not working as expected also. Same happens when 
> removing a group membership.
> 
> Already tried net cache flush, winbind + smbd + nmbd restart,
> removing tdb files from /var/lib, no luck.
> 
> Any thoughts?
> 
Is this on a Unix domain member ?

gid=100(users) shows that this is probably on a DC and 'Domain Users'
doesn't have a gidNumber (unless it is set to '100')

10012(BUILTIN\administrators) shows that 'administrators' does have a
gidNumber

'winbind + smbd + nmbd restart' would suggest it is a Unix domain member

Please post the smb.conf file(s)

Rowland

Hi Rowland,

Those tests were made on DC (araucaria), not a domain member.

root at araucaria:~# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
         ldap server require strong auth = No
         log file = /var/log/samba/%m.log
         ntlm auth = ntlmv1-permitted
         passdb backend = samba_dsdb
         realm = AD.TLD
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         template homedir = /home/usuarios/%U
         template shell = /bin/bash
         wins support = Yes
         workgroup = A1
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         map readonly = no
         store dos attributes = Yes
         vfs objects = dfs_samba4 acl_xattr


[netlogon]
         path = /var/lib/samba/sysvol/ad.tld/scripts
         read only = No


[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
root at araucaria:~#

Em 27/11/2018 17:14, Rowland Penny via samba escreveu:
> On Tue, 27 Nov 2018 16:39:41 -0200
> Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
>
>> Hi,
>>
>> I have a samba 4.7 AD DC running on a Ubuntu 18.04 server with distro
>> packages. I update a user with a new group and this new membership is
>> not reflected on that user. On example below, I can successfully add
>> the user "test.account" to group "test", but not my
user
>> "marcio.merlone":
>>
>> root at araucaria:~# id test.account
>> uid=30214(A1\test.account) gid=100(users)
>> groups=100(users),3000008(BUILTIN\users)
>> root at araucaria:~# samba-tool group addmembers test test.account
>> Added members to group test
>> root at araucaria:~# id test.account
>> uid=30214(A1\test.account) gid=100(users)
>> groups=100(users),3000203(A1\test),3000008(BUILTIN\users)
>>
>> User test.account was added successfully to group test. Although:
>>
>> root at araucaria:~# samba-tool group addmembers test marcio.merlone
>> Added members to group test
>> root at araucaria:~# id marcio.merlone
>> uid=1014(A1\marcio.merlone) gid=100(users)
>> groups=100(users),512(A1\domain
>> admins),3000008(BUILTIN\users),10012(BUILTIN\administrators)
>> root at araucaria:~#
>>
>> Group "test" does not show up. Also tried changing groups
using ADUC
>> and LDAP Account Manager, no diff.
>>
>> Those tests where made on DC for debugging purposes, but I need this
>> membership change reflected on a member server running squid proxy.
>> Tracked down to DC not working as expected also. Same happens when
>> removing a group membership.
>>
>> Already tried net cache flush, winbind + smbd + nmbd restart,
>> removing tdb files from /var/lib, no luck.
>>
>> Any thoughts?
>>
> Is this on a Unix domain member ?
>
> gid=100(users) shows that this is probably on a DC and 'Domain
Users'
> doesn't have a gidNumber (unless it is set to '100')
>
> 10012(BUILTIN\administrators) shows that 'administrators' does have
a
> gidNumber
>
> 'winbind + smbd + nmbd restart' would suggest it is a Unix domain
member
Oh, God, you are right, my bad. Should have restarted ad-dc.


-- 
*Marcio Merlone*