samba - Apr 2020 - Group issues on AD DC, membership does not work on some users

Hi everyone,

I'm running Samba 4.7.6 on Ubuntu 18.04.

I have an issue with adding users to groups with samba-tool, not really 
sure where to look for more info. samba -i didn't show anything at all.

This is what I do:

*samba-tool group add new-group**
**samba-tool group addmembers new-group my-user*

if I run *id my-user *or *groups my-user*, then the group *new-group 
*does not appear there. It does, however, appear if I check in LDAP 
(samba-tool user edit my-user).

This becomes a problem when I set ACLs in a domain-joined file share 
server - users who are members of certain groups cannot access files and 
folders belonging to the groups they are a part of.

I can also add that this server used to be a a non-DC Samba server, and 
that the GIDs go first between 1000-1027 (the oldest ones) and then 
between 5888-6012.

The strange thing is that it only occurs to some users - most don't have 
that issue at all. I've tried adding different types of users to 
different groups, couldn't really find any pattern. Many times the 
domain-joined server gives a more accurate output of *id* *user *than 
the DC - a user might be in a group, but the DC won't show it, while a 
server joined to the DC actually will.

Here is my smb.conf:

[global] workgroup = company realm = INTERNAL.COMPANY.COM netbios name = 
dc server string = Zentyal Server server role = dc server role 
check:inhibit = yes server services = -dns server signing = auto 
dsdb:schema update allowed = yes ldap server require strong auth = no 
drs:max object sync = 1200 ntlm auth = mschapv2-and-ntlmv2-only 
idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups 
= yes template shell = /bin/bash template homedir = /home/%U tls enabled 
= yes tls keyfile = /var/lib/zentyal/conf/ssl/ssl.pem tls certfile = 
/var/lib/zentyal/conf/ssl/ssl.pem tls cafile = interfaces = lo,ens3 bind 
interfaces only = yes map to guest = Bad User log level = 3 log file = 
/var/log/samba/samba.log max log size = 100000 include = 
/etc/samba/shares.conf [netlogon] path = 
/var/lib/samba/sysvol/internal.company.com/scripts browseable = no read 
only = yes [sysvol] path = /var/lib/samba/sysvol read only = no

Any ideas are highly appreciated here. Thanks!

Oleg

On 22/04/2020 10:51, Oleg Blyahher via samba wrote:
> Hi everyone,
>
> I'm running Samba 4.7.6 on Ubuntu 18.04.
Might be an idea to upgrade Samba, 4.7.x is EOL as far as Samba is 
concerned, you can get later Samba versions here:

http://apt.van-belle.nl/
>
> I have an issue with adding users to groups with samba-tool, not 
> really sure where to look for more info. samba -i didn't show anything 
> at all.
>
> This is what I do:
>
> *samba-tool group add new-group**
> **samba-tool group addmembers new-group my-user*
>
> if I run *id my-user *or *groups my-user*, then the group *new-group 
> *does not appear there. It does, however, appear if I check in LDAP 
> (samba-tool user edit my-user).
Sounds like the affected user isn't logged in, you can only be sure of 
getting a correct list of a users groups if the user is logged
in.
>
> This becomes a problem when I set ACLs in a domain-joined file share 
> server - users who are members of certain groups cannot access files 
> and folders belonging to the groups they are a part of.
If the 'domain-joined file share server' is a Unix computer, then 
possibly 'samba-tool group add new-group' isn't sufficient, the
group
will not have a gidNumber attribute and if the 'idmap config' DOMAIN 
backend is 'ad', then the group will be ignored.
>
> I can also add that this server used to be a a non-DC Samba server, 
> and that the GIDs go first between 1000-1027 (the oldest ones) and 
> then between 5888-6012.
This shouldn't be a problem unless the 'idmap config' DOMAIN range
isn't
something like '1000-7000'.
>
> The strange thing is that it only occurs to some users - most don't 
> have that issue at all. I've tried adding different types of users to 
> different groups, couldn't really find any pattern. Many times the 
> domain-joined server gives a more accurate output of *id* *user *than 
> the DC - a user might be in a group, but the DC won't show it, while a 
> server joined to the DC actually will.
Probably because the user is logged in.
>
> Here is my smb.conf:
Just a few comments ;-)

server role check:inhibit = yes

Why ? the only reason could be if you are trying to run the 'nmbd' 
daemon and you must not that on a DC.

dsdb:schema update allowed = yes

Again, why? do you update your schema on a regular basis ??

 ?winbind enum users = yes
 ?winbind enum groups = yes

All those do is potentially slow things down.

map to guest = Bad User

On a DC, the authentication centre ?

Rowland

Thank you so much for the prompt response and the valuable comments.

We are using a pretty much unmodified Zentyal installation, which in its 
own turn sets everything up for a Samba DC. It might be a good idea for 
us to move away from that, if Zentyal uses an EOL-version of Samba..

You were absolutely right about the sign-in part! Almost all of us work 
from home in these special days, so there are hardly any sign-ons to the 
DC itself. People take their computers home and use cached credentials.

Your questions regarding the smb.conf are really good. Unfortunately, I 
have no clue why Zentyal thought that would be a good idea :) I will 
comment out the lines you've mentioned and see what happens :D

Thank you once again.

Oleg

On 2020-04-22 12:29, Rowland penny via samba wrote:
> On 22/04/2020 10:51, Oleg Blyahher via samba wrote:
>> Hi everyone,
>>
>> I'm running Samba 4.7.6 on Ubuntu 18.04.
>
> Might be an idea to upgrade Samba, 4.7.x is EOL as far as Samba is 
> concerned, you can get later Samba versions here:
>
> http://apt.van-belle.nl/
>
>>
>> I have an issue with adding users to groups with samba-tool, not 
>> really sure where to look for more info. samba -i didn't show 
>> anything at all.
>>
>> This is what I do:
>>
>> *samba-tool group add new-group**
>> **samba-tool group addmembers new-group my-user*
>>
>> if I run *id my-user *or *groups my-user*, then the group *new-group 
>> *does not appear there. It does, however, appear if I check in LDAP 
>> (samba-tool user edit my-user).
> Sounds like the affected user isn't logged in, you can only be sure of 
> getting a correct list of a users groups if the user is logged in.
>>
>> This becomes a problem when I set ACLs in a domain-joined file share 
>> server - users who are members of certain groups cannot access files 
>> and folders belonging to the groups they are a part of.
> If the 'domain-joined file share server' is a Unix computer, then 
> possibly 'samba-tool group add new-group' isn't sufficient, the
group
> will not have a gidNumber attribute and if the 'idmap config'
DOMAIN
> backend is 'ad', then the group will be ignored.
>>
>> I can also add that this server used to be a a non-DC Samba server, 
>> and that the GIDs go first between 1000-1027 (the oldest ones) and 
>> then between 5888-6012.
> This shouldn't be a problem unless the 'idmap config' DOMAIN
range
> isn't something like '1000-7000'.
>>
>> The strange thing is that it only occurs to some users - most don't
>> have that issue at all. I've tried adding different types of users
to
>> different groups, couldn't really find any pattern. Many times the 
>> domain-joined server gives a more accurate output of *id* *user *than 
>> the DC - a user might be in a group, but the DC won't show it,
while
>> a server joined to the DC actually will.
> Probably because the user is logged in.
>>
>> Here is my smb.conf:
>
> Just a few comments ;-)
>
> server role check:inhibit = yes
>
> Why ? the only reason could be if you are trying to run the 'nmbd' 
> daemon and you must not that on a DC.
>
> dsdb:schema update allowed = yes
>
> Again, why? do you update your schema on a regular basis ??
>
> ?winbind enum users = yes
> ?winbind enum groups = yes
>
> All those do is potentially slow things down.
>
> map to guest = Bad User
>
> On a DC, the authentication centre ?
>
> Rowland
>
>
>