Matthias Kühne | Ellerhold AG
2021-Feb-24 09:13 UTC
[Samba] Group membership not updating on one DC only
Hello,
it seems like the group memberships isnt updating anymore for a certain
user in a specific DC. Were using Debian Buster with samba
4.13.4+dfsg-0.1buster2 .
We have (atm) 3 DCs in their own AD-Sites: the first DC is in the
default site ("Default-First-Site-Name"), the second DC and third are
in
their own sites. Each of them should be responsible for their IP ranges.
Ive just changed the group membership of an user via MS ADUC (connected
to DC-2). It didnt replicate to DC-1...: 'net cache flush && groups
DOMAIN\\user.name' shows all groups on DC2 and DC3, but on DC1 2 groups
are missing.
Steps I tried without any changes:
* Waiting until the next morning (~ 12 hours)
* Restarting all DCs one at a time
* net cache flush (with or without restarting samba-ad-dc)
* Moved all DCs to the default AD-Site
* samba-tool dbcheck --cross-ncs --fix --yes on all 3 DCs
* samba-tool drs replicate --full-sync --sync-forced DC1 DC2 DC=...
* Transferring all FSMO from DC1 to DC2, demoting DC1, apt remove
--purge samba on DC1 and a complete reinstall with rejoinen
Even after all of this: the groups of user.name are still the old
values! DC2 and DC3 show the new membership info.
Some more things I've tried:
* wbinfo -g shows all Groups correctly
* getent group shows all groups correctly (if winbind enum groups is
set to Yes)
* samba-tool drs uptodateness shows all zeros (and 5 different
"Unknown invocation ID XYZ" error messages spammed about)
* samba-tool visualize uptodateness -r show all green zeros (same
error message as above)
* samba-tool drs kcc is successfull on all 3 DCs
* samba-tool drs showrepl
o Shows 0 consecutive failures
o But all outbound connections on DC1 also show "Last attempt @
NTTIME(0) was successful" ... this means that no sync has been
done - right?
o Inbound connections on DC properly show an up2date time+date
* samba-tool ldapcmp ldap://DC2 ldap://DC1
o Result for [DOMAIN]: SUCCESS (all other partitions are a success
too)
o But in [DOMAIN] 7 users are shown as:
+ LdbError for dn CN=MEIN TESSTNAME,...: (32, 'LDAP error 32
LDAP_NO_SUCH_OBJECT -? <acl_read: Error retrieving
instanceType for base. at
../../source4/dsdb/samdb/ldb_modules/acl_read.c:939>
<>')
+ The user is named "Mein Te?tname" in ADUC...
+ Is this a problem?
+ The user with the missing groups has no ? in his name though...
Does anybody have an idea whats wrong here? What do I need to do to
debug it further?
Thanks in advance!
--
Matthias K?hne
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99
Web www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie
nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um
sofortiges l?schen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
Matthias Kühne | Ellerhold AG
2021-Feb-24 09:36 UTC
[Samba] Group membership not updating on one DC only
Hello, I just asked the user to ssh into DC1. And lo and behold after that he has the correct groups. I let him connect to a fileserver via SMB and it updated the groups correctly too. Yay So it seems like the cache (on a Domain Member and on a DC) only gets updated if the user connects to it. net cache flush doesnt seem to do anything here. Winbind Offline Logon is enabled. Is this the / a problem? Is there any command I could run to update the groups without asking the user to login to the machine? Am 24.02.21 um 10:13 schrieb Matthias K?hne | Ellerhold AG via samba:> Hello, > > it seems like the group memberships isnt updating anymore for a certain > user in a specific DC. Were using Debian Buster with samba > 4.13.4+dfsg-0.1buster2 . > > We have (atm) 3 DCs in their own AD-Sites: the first DC is in the > default site ("Default-First-Site-Name"), the second DC and third are in > their own sites. Each of them should be responsible for their IP ranges. > > Ive just changed the group membership of an user via MS ADUC (connected > to DC-2). It didnt replicate to DC-1...: 'net cache flush && groups > DOMAIN\\user.name' shows all groups on DC2 and DC3, but on DC1 2 groups > are missing. > > Steps I tried without any changes: > > * Waiting until the next morning (~ 12 hours) > * Restarting all DCs one at a time > * net cache flush (with or without restarting samba-ad-dc) > * Moved all DCs to the default AD-Site > * samba-tool dbcheck --cross-ncs --fix --yes on all 3 DCs > * samba-tool drs replicate --full-sync --sync-forced DC1 DC2 DC=... > * Transferring all FSMO from DC1 to DC2, demoting DC1, apt remove > --purge samba on DC1 and a complete reinstall with rejoinen > > Even after all of this: the groups of user.name are still the old > values! DC2 and DC3 show the new membership info. > > Some more things I've tried: > > * wbinfo -g shows all Groups correctly > * getent group shows all groups correctly (if winbind enum groups is > set to Yes) > * samba-tool drs uptodateness shows all zeros (and 5 different > "Unknown invocation ID XYZ" error messages spammed about) > * samba-tool visualize uptodateness -r show all green zeros (same > error message as above) > * samba-tool drs kcc is successfull on all 3 DCs > * samba-tool drs showrepl > o Shows 0 consecutive failures > o But all outbound connections on DC1 also show "Last attempt @ > NTTIME(0) was successful" ... this means that no sync has been > done - right? > o Inbound connections on DC properly show an up2date time+date > * samba-tool ldapcmp ldap://DC2 ldap://DC1 > o Result for [DOMAIN]: SUCCESS (all other partitions are a success > too) > o But in [DOMAIN] 7 users are shown as: > + LdbError for dn CN=MEIN TESSTNAME,...: (32, 'LDAP error 32 > LDAP_NO_SUCH_OBJECT -? <acl_read: Error retrieving > instanceType for base. at > ../../source4/dsdb/samdb/ldb_modules/acl_read.c:939> <>') > + The user is named "Mein Te?tname" in ADUC... > + Is this a problem? > + The user with the missing groups has no ? in his name though... > > Does anybody have an idea whats wrong here? What do I need to do to > debug it further? > > Thanks in advance! >-- Matthias K?hne Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Telefax: +49 (0) 351 83933-99 Web www.ellerhold.de Twitter www.twitter.com/Ellerhold_AG Youtube www.youtube.com/user/ellerholdgruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---------------- Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/