Jason Harris
2014-Feb-20 01:55 UTC
[Samba] 3.6 member to 2008 AD, winbind integration, users sometimes lose group membership
We've had linux fileservers in our org for a long time and this roughly coincided with version 3.6. Our linux member servers are winbound, filesystems are ext2+ with acl support and permissions assigned to AD groups via setfacl. At any given time, out of all the users that use the fileshares daily there are about 1-2 that get "access denied" by the client os (win xp, 7 and 8). I can log into the linux host, su into the denied account, and verify that it is denied locally too, so the issue is not with smb share, but with winbind/ad/filesystem acl. id and getent will show that the group membership of the denied user is "missing" some groups, namely the ones that are needed to access the directory in question. After checking with other accounts it seems like samba loses group enumeration more commonly. Only by luck are the bulk of users successfully able to access the files they need to. Upon further examination, it seems as though it is random; 100 servers with the same exact config file (save for server name) will all do groups correctly except for one. After a month, it will change and another server will misbehave while the first will "fix" itself. Is this the correct forum to ask for help ? If not, where can I go ? Thanks all, Jason Harris
Denis Cardon
2014-Feb-20 11:30 UTC
[Samba] 3.6 member to 2008 AD, winbind integration, users sometimes lose group membership
Hi Jason,> We've had linux fileservers in our org for a long time and this roughly > coincided with version 3.6. > > Our linux member servers are winbound, filesystems are ext2+ with acl > support and permissions assigned to AD groups via setfacl. > > At any given time, out of all the users that use the fileshares daily > there are about 1-2 that get "access denied" by the client os (win xp, 7 > and 8). > > I can log into the linux host, su into the denied account, and verify > that it is denied locally too, so the issue is not with smb share, but > with winbind/ad/filesystem acl. > > id and getent will show that the group membership of the denied user is > "missing" some groups, namely the ones that are needed to access the > directory in question. After checking with other accounts it seems like > samba loses group enumeration more commonly. Only by luck are the bulk > of users successfully able to access the files they need to. > > Upon further examination, it seems as though it is random; 100 servers > with the same exact config file (save for server name) will all do > groups correctly except for one. After a month, it will change and > another server will misbehave while the first will "fix" itself.we had a similar issue on a fresh wheezy install a few month ago (samba 3.6.6 with winbind as member server of an MS 2k8r2 AD). We encountered the exact same symptoms as you do, random nsswitch issues with group membership. What stuned me is that we have same setup at other clients and never had issues... since I was clueless on the root cause of the problem, I started an upgrade to see if it would solve the issue. Since 3.6 will go to maintenance in the near future, we did an upgrade directly to samba 4.1.4 as member server compiled from source. Everything is doing fine since then. Unfortunatly I didn't had time to look deeper into the root cause of the problem. We have many other similar setups that run fine, why this one and only this one looses group membership I still don't know. Hope this helps, Denis> > Is this the correct forum to ask for help ? If not, where can I go ? > > Thanks all, > Jason Harris > >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr