samba - Dec 2020 - Domain admins group missing from domain member

Hi all,
I'm having a strange issue with one of my samba domains that I hope you can
help with.
Simply put, getent group|grep "domain admins" returns (as expected)
domain
admins:x:3000061:on both my DC's , but comes out empty on both linux domain
members.
Can't really say when this started to happen, but, appart from some apt
update&&upgrade, I've made no major changes to the system lately.
As a consequence chown root:"domain admins" somefile gives chown:
invalid
group:  on the domain members, but works perfectly on the DCS. As far as I
can tell, ACL's that involve Domain Admins work perfectly (see point 3
below).
All machines are running a self compiled samba 4.10 on debian buster.

What I've done:
1) tested with other groups. All work perfectly
2) Checked
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member in
particular, the "winbind conectivity section". wbinfo --ping-dc works
as
expected
2a) Also checked https://wiki.samba.org/index.php/Libnss_winbind_Links
3) wbinfo -g shows domain admins on all machines
4) net ads leave / net ads join did not solve
5) samba-tool dbcheck --cross-ncs

I'm out of ideas and any help is, as usual, very much appreciated.

Best regards,
Carlos

My nsswitch:
passwd:         compat winbind systemd
group:          compat winbind systemd
shadow:         compat
gshadow:        files
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

smb.conf:
1) for DCs
[global]
        realm = SAMDOM.LOCAL
        workgroup = SAMDOM
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log level = 1 auth_json_audit:2@/var/log/samba/auth.log sam:2@
/var/log/samba/sam.log
        log file = /var/log/samba/samba.log
        server services = -dns

       winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /home/%U
        server min protocol = SMB2
#Disable printing share
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

2) For DMs[global]
        security = ADS
        workgroup = SAMDOM
        realm = SAMDOM.LOCAL
        interfaces = lo br0
        bind interfaces only = yes
        log file = /var/log/samba/%U.log
        log level = 1
        username map = /usr/local/samba/etc/user.map
        local master = no
        time server = no
        wins support = no

        idmap config SAMDOM : backend = ad
        idmap config SAMDOM : range = 10000-999999
        idmap config SAMDOM : schema_mode = rfc2307
        idmap config SAMDOM : unix_nss_info = yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /home/%U

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        winbind refresh tickets = Yes

#only for ext4. remove for other FS's
        strict allocate = yes

#For Netdata monitoring
        smbd profiling level 1

        min receivefile size = 16384
        use sendfile = yes
        server min protocol = SMB2
        write cache size = 65536
#For 4 minutes to release lock (Outlook remember?)
socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

        load printers = no
        printcap name = /dev/null
#As per thread on mailing list
inherit acls = yes
inherit owner = yes
inherit permissions = yes

[SHARES]...

> Hi all,
> I'm having a strange issue with one of my samba domains that I hope you
can help with.
> Simply put, getent group|grep "domain admins" returns (as
expected) domain admins:x:3000061:on both my DC's , but comes out
> empty on both linux domain members.
[snip]

getent group will not show the AD groups unless the line:

	winbind enum groups = yes

is in the global section of smb.conf.  Similarly getent users will not show the
users in AD without the line:

	winbind enum users = yes

in smb.conf.

Try getent group "domain admins" - it should give you the appropriate
output.

Not sure why it works on the DCs though without the above lines in smb.conf
though.

HTH

Roy

On 13/12/2020 02:09, Carlos Jesus via samba wrote:
> Hi all,
> I'm having a strange issue with one of my samba domains that I hope you
can
> help with.
> Simply put, getent group|grep "domain admins" returns (as
expected) domain
> admins:x:3000061:on both my DC's , but comes out empty on both linux
domain
> members.
Not sure why that worked, it shouldn't because you don't have
'winbind
enum groups = yes' in your DC's smb.conf

Also you are using the 'ad' backend on the Unix domain member and 
'3000061' isn't a gidNumber, it is an xidNumber and only used on
DC's.
This actually is a good thing, because if you do give Domain Admins a 
gidNumber, it just becomes a group and cannot own files and folders in 
sysvol.

Rowland