samba - Mar 2020 - Winbind does not show all groups of all users

Hi!
I'm using 4.10.13 as AD and have the issue that winbind does not show
correct the group membership of some users. # Global
parameters[global]      ldap server require strong auth no        netbios name =
admin        realm XXXX.LOKAL        workgroup = XXXX        dns forwarder
8.8.8.8        server role = active directory domain
controller        idmap_ldb:use rfc2307 = Yes        winbind enum users
= No        winbind enum groups = No        wide links Yes        unix
extensions = No
        bind interfaces only = yes        interfaces = 127.0.0.1,
172.16.0.2        ntlm auth = yes        template shell = /bin/bash
        socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4
TCP_KEEPINTVL=15
For examle the user sta is member of the group 10A:ldbsearch -H
/var/lib/samba/private/sam.ldb CN=10A | grep stainstanceType: 4member:
CN=sta,OU=teachers,DC=xxxxx,DC=lokal
ldbsearch -H /var/lib/samba/private/sam.ldb CN=sta | grep 10AmemberOf:
CN=10A,CN=Users,DC=xxxxx,DC=lokal
But id does not show this:uid=4000821(XXXXX\sta) gid=100(users)
Gruppen=100(users),4000005(XXXXX\teachers),4001457(XXXXXX\erdkunde),300
0009(BUILTIN\users)
And:wbinfo --user-groups sta100400000540014573000009
What is wrong with this user??The most of the user have not this
problem.
Regards.

-- 
Dipl.-Ing. P?ter Varkoly
Greuleinweg 37.
D-90411 N?rnberg

On 16/03/2020 14:21, Dipl.-Ing. P?ter Varkoly via samba
wrote:
> Hi!
> I'm using 4.10.13 as AD and have the issue that winbind does not show
> correct the group membership of some users. # Global
> parameters[global]      ldap server require strong auth > no       
netbios name = admin        realm > XXXX.LOKAL        workgroup = XXXX       
dns forwarder > 8.8.8.8        server role = active directory domain
> controller        idmap_ldb:use rfc2307 = Yes        winbind enum users
> = No        winbind enum groups = No        wide links > Yes        unix
extensions = No
>          bind interfaces only = yes        interfaces = 127.0.0.1,
> 172.16.0.2        ntlm auth = yes        template shell = /bin/bash
>          socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4
> TCP_KEEPINTVL=15
> For examle the user sta is member of the group 10A:ldbsearch -H
> /var/lib/samba/private/sam.ldb CN=10A | grep stainstanceType: 4member:
> CN=sta,OU=teachers,DC=xxxxx,DC=lokal
> ldbsearch -H /var/lib/samba/private/sam.ldb CN=sta | grep 10AmemberOf:
> CN=10A,CN=Users,DC=xxxxx,DC=lokal
> But id does not show this:uid=4000821(XXXXX\sta) gid=100(users)
> Gruppen=100(users),4000005(XXXXX\teachers),4001457(XXXXXX\erdkunde),300
> 0009(BUILTIN\users)
> And:wbinfo --user-groups sta100400000540014573000009
> What is wrong with this user??The most of the user have not this
> problem.
> Regards.
>
After deciphering the above, it is a known feature, only when a user 
logs in can you be sure to get a full list of the users groups.

What is interesting are the ID's in the 4000000 range, why this range ?

Rowland

Am Montag, den 16.03.2020, 15:17 +0000 schrieb Rowland penny via
samba:
> 
> After deciphering the above, 
Sorry. evolution has reformatted my text :-(
> it is a known feature, only when a user 
> logs in can you be sure to get a full list of the users groups.
Very strange. I've recreated a new user and put it in all groups and he
was inmediately in all groups.
What does mean to log in? Is "smbclient //server/share -U user%pw"
enough?
Connecting "sta" with smbclient has access to all groups. 
Making su - sta ; id Not all groups will be shown.
> 
> What is interesting are the ID's in the 4000000 range, why this range
> ?
By creating a new object we generate a new unix id and save it into the
 rfc2307 attributes: uidNumber,gidNumber. We wanted to separate this
from the winbind "automatic" id-s. If a user or group has an unix-id
30XXX then we know immediately something went wrong :-)
> 
> Rowland
> 
> 
> 
-- 
Dipl.-Ing. P?ter Varkoly
Greuleinweg 37.
D-90411 N?rnberg