samba - Nov 2018 - Odd behavior on group membership

Hi Rowland,

Those tests were made on DC (araucaria), not a domain member.

root at araucaria:~# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
         ldap server require strong auth = No
         log file = /var/log/samba/%m.log
         ntlm auth = ntlmv1-permitted
         passdb backend = samba_dsdb
         realm = AD.TLD
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         template homedir = /home/usuarios/%U
         template shell = /bin/bash
         wins support = Yes
         workgroup = A1
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         map readonly = no
         store dos attributes = Yes
         vfs objects = dfs_samba4 acl_xattr


[netlogon]
         path = /var/lib/samba/sysvol/ad.tld/scripts
         read only = No


[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
root at araucaria:~#

Em 27/11/2018 17:14, Rowland Penny via samba escreveu:
> On Tue, 27 Nov 2018 16:39:41 -0200
> Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
>
>> Hi,
>>
>> I have a samba 4.7 AD DC running on a Ubuntu 18.04 server with distro
>> packages. I update a user with a new group and this new membership is
>> not reflected on that user. On example below, I can successfully add
>> the user "test.account" to group "test", but not my
user
>> "marcio.merlone":
>>
>> root at araucaria:~# id test.account
>> uid=30214(A1\test.account) gid=100(users)
>> groups=100(users),3000008(BUILTIN\users)
>> root at araucaria:~# samba-tool group addmembers test test.account
>> Added members to group test
>> root at araucaria:~# id test.account
>> uid=30214(A1\test.account) gid=100(users)
>> groups=100(users),3000203(A1\test),3000008(BUILTIN\users)
>>
>> User test.account was added successfully to group test. Although:
>>
>> root at araucaria:~# samba-tool group addmembers test marcio.merlone
>> Added members to group test
>> root at araucaria:~# id marcio.merlone
>> uid=1014(A1\marcio.merlone) gid=100(users)
>> groups=100(users),512(A1\domain
>> admins),3000008(BUILTIN\users),10012(BUILTIN\administrators)
>> root at araucaria:~#
>>
>> Group "test" does not show up. Also tried changing groups
using ADUC
>> and LDAP Account Manager, no diff.
>>
>> Those tests where made on DC for debugging purposes, but I need this
>> membership change reflected on a member server running squid proxy.
>> Tracked down to DC not working as expected also. Same happens when
>> removing a group membership.
>>
>> Already tried net cache flush, winbind + smbd + nmbd restart,
>> removing tdb files from /var/lib, no luck.
>>
>> Any thoughts?
>>
> Is this on a Unix domain member ?
>
> gid=100(users) shows that this is probably on a DC and 'Domain
Users'
> doesn't have a gidNumber (unless it is set to '100')
>
> 10012(BUILTIN\administrators) shows that 'administrators' does have
a
> gidNumber
>
> 'winbind + smbd + nmbd restart' would suggest it is a Unix domain
member
Oh, God, you are right, my bad. Should have restarted ad-dc.


-- 
*Marcio Merlone*

On Wed, 28 Nov 2018 08:48:07 -0200
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
> Hi Rowland,
> 
> Those tests were made on DC (araucaria), not a domain member.
> 
> root at araucaria:~# testparm /etc/samba/smb.conf
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> 
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>          passdb backend = samba_dsdb
>          wins support = Yes
>          rpc_server:tcpip = no
>          rpc_daemon:spoolssd = embedded
>          rpc_server:spoolss = embedded
>          rpc_server:winreg = embedded
>          rpc_server:ntsvcs = embedded
>          rpc_server:eventlog = embedded
>          rpc_server:srvsvc = embedded
>          rpc_server:svcctl = embedded
>          rpc_server:default = external
>          winbindd:use external pipes = true
>          idmap config * : backend = tdb
>          map archive = No
>          map readonly = no
>          store dos attributes = Yes
>          vfs objects = dfs_samba4 acl_xattr
> 
> 
I would remove the above lines from your smb.conf, most are defaults,
but some are actually wrong for an AD DC, see 'man smb.conf' for more
details

Rowland

Hi Rowland, thank you for your prompt reply,

I sent you the testparam output hence lots of defaults (i presumed would 
be better), here is crude smb.conf:

root at araucaria:~# cat /etc/samba/smb.conf
[global]
     netbios name = ARAUCARIA
     realm = AD.TLD
     server role = active directory domain controller
     workgroup = A1
     server services = -dns
     ldap server require strong auth = no
     wins support = yes
     ntlm auth = yes
     log file = /var/log/samba/%m.log
     log level = 1 auth_audit:3 auth_json_audit:3
     idmap_ldb:use rfc2307 = yes
     idmap config * : backend = tdb
     template shell = /bin/bash
     template homedir = /home/usuarios/%U

[netlogon]
     path = /var/lib/samba/sysvol/ad.tld/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No
root at araucaria:~#



Em 28/11/2018 09:17, Rowland Penny via samba escreveu:
> On Wed, 28 Nov 2018 08:48:07 -0200
> Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
>
>> Hi Rowland,
>>
>> Those tests were made on DC (araucaria), not a domain member.
>>
>> root at araucaria:~# testparm /etc/samba/smb.conf
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384) Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>>           passdb backend = samba_dsdb
>>           wins support = Yes
>>           rpc_server:tcpip = no
>>           rpc_daemon:spoolssd = embedded
>>           rpc_server:spoolss = embedded
>>           rpc_server:winreg = embedded
>>           rpc_server:ntsvcs = embedded
>>           rpc_server:eventlog = embedded
>>           rpc_server:srvsvc = embedded
>>           rpc_server:svcctl = embedded
>>           rpc_server:default = external
>>           winbindd:use external pipes = true
>>           idmap config * : backend = tdb
>>           map archive = No
>>           map readonly = no
>>           store dos attributes = Yes
>>           vfs objects = dfs_samba4 acl_xattr
>>
>>
> I would remove the above lines from your smb.conf, most are defaults,
> but some are actually wrong for an AD DC, see 'man smb.conf' for
more
> details
>
> Rowland
>
-- 
*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 99689-0036

https://a1.ind.br/ <https://a1.ind.br>