samba - Jun 2016 - id shows only primary group on domain member server

Hi,

know I have another problem. I compiled samba 4.4.4 on a Centos 7.2 
Server no special options for ./configure.
Afterwards I followed the article from mentioned below wiki article 
below, to join Centos 7.2 as an member server to our existing AD.

WIKI Article: 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Now, if i type id USERNAME I only get the users UID, GID and only the 
GID as the supplementary Group no more groups are showing up. What have 
I missed?

Thanks Guys
Daniel

On 15/06/16 13:33, Daniel Thielking wrote:
> Hi,
>
> know I have another problem. I compiled samba 4.4.4 on a Centos 7.2 
> Server no special options for ./configure.
> Afterwards I followed the article from mentioned below wiki article 
> below, to join Centos 7.2 as an member server to our existing AD.
>
> WIKI Article: 
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Now, if i type id USERNAME I only get the users UID, GID and only the 
> GID as the supplementary Group no more groups are showing up. What 
> have I missed?
>
> Thanks Guys
> Daniel
>
Can you please post your smb.conf from the domain member.

Rowland

cat /usr/local/samba/etc/smb.conf:

      # Eintraege fuer das ActiveDirectory Samba4    workgroup = SAMDOM
        realm =SAMDOM.LOCAL    security = ADS    # Alle Template
    Einstellungen kommen direkt aus der AD    # Die Shell ist nur aus
    Sicherheitsgruenden hier eingetragen    template shell = /bin/false
        kerberos method = secrets and keytab    dedicated keytab file    
/etc/krb5.keytab    # Auswaehlen der Domain ist hier nicht noetig,
    da default domain die Workgroup nimmt    # Offline Logon ist aus.
    Einschalten macht nur bei Mobilengeraeten sinn    winbind use
    default domain = true    winbind offline logon = false
    #--authconfig--end-line--     server string = Samba %v on %h    
    local master = No     # --------------------------- Logging Options
    -----------------------------     #     # Log File let you specify
    where to put logs and how to split them up.     #     # Max Log Size
    let you specify the max size log files should reach         # logs
    split per machine         log file = /usr/local/samba/var/log.%m
             # max 500KB per log file, then rotate         max log size
    = 500         log level = 1         # Use settings from AD for login
    shell and home directory         winbind nss info = rfc2307        
    winbind refresh tickets = yes         winbind cache time = 300
             winbind trusted domains only = no         winbind enum
    users  = yes         winbind enum groups = yes     winbind expand
    groups = 4         # Important: The ranges of the default (*) idmap
    config         # and the domain(s) must not overlap!         #
    Default idmap config used for BUILTIN and local accounts/groups
             idmap config *:backend = tdb         idmap config *:range    
1000000-1100000         # idmap config for domain SAMDOM
    idmap config IAS:backend = ad         idmap config IAS:schema_mode    
rfc2307         idmap config IAS:range = 500-999999         #
    Caching auf 5 Minuten fuer Gids/Uids einrichten         idmap cache
    time = 300         idmap negative cache time = 1     #
    --------------------------- Printer Options
    -----------------------------     load printers = no     #
    --------------------------- Filesystem Options
    ---------------------------     unix charset = UTF8         dos
    charset = 850     # Fuer Dateien     # u-x g-x o-rwx     create mask
    = 0660     # ug+rw (SVN)         force create mode = 0660     # Fuer
    Verzeichnisse     directory mask = 0770         force directory mode
    = 0770     # Mappings der Speziellen Dateien unter Windows     map
    archive = no         map hidden = no         map read only     Permissions  
map system = no     # Verhalten von Samba
    gegenueber von Speziellen Dateien     wide links = no        
    blocking locks = no         delete veto files = yes         hide
    files = /.*/desktop.ini/.DS_Store/         hide special files = yes
             delete readonly = yes     vfs objects = acl_xattr     map
    acl inherit = yes     store dos attributes = yes     #
    --------------------------- Share Definitions
    ---------------------------


On 15/06/16 14:49, Rowland penny wrote:
> On 15/06/16 13:33, Daniel Thielking wrote:
>> Hi,
>>
>> know I have another problem. I compiled samba 4.4.4 on a Centos 7.2 
>> Server no special options for ./configure.
>> Afterwards I followed the article from mentioned below wiki article 
>> below, to join Centos 7.2 as an member server to our existing AD.
>>
>> WIKI Article: 
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>> Now, if i type id USERNAME I only get the users UID, GID and only the 
>> GID as the supplementary Group no more groups are showing up. What 
>> have I missed?
>>
>> Thanks Guys
>> Daniel
>>
>
> Can you please post your smb.conf from the domain member.
>
> Rowland
>
>

On Wed, Jun 15, 2016 at 02:33:22PM +0200, Daniel Thielking
wrote:
> know I have another problem. I compiled samba 4.4.4 on a Centos 7.2 Server
> no special options for ./configure.
> Afterwards I followed the article from mentioned below wiki article below,
> to join Centos 7.2 as an member server to our existing AD.
> 
> WIKI Article:
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> 
> Now, if i type id USERNAME I only get the users UID, GID and only the GID
as
> the supplementary Group no more groups are showing up. What have I missed?
What happens if you do a "wbinfo -a <username>" successfully
first?

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

SerNet & BSI laden ein: 29. Juni 2016,
2. IT-Grundschutztag 2016, BPA Berlin.
Anmeldung: https://www.sernet.de/gstag

@ Rowland
I'm using the same configuration on a different domain member with 
CentOS7.2 with packaged samba4 RPM's from OS. If I try to use `id 
USERNAME` i get the output in a complete version e.g. uid=USERNAME 
gid=PRIMARY groups=PRIMARY, SUPGROUP1, SUPGROUP2.
Because of the parameter :
     template shell = /bin/false
I read that this parameter is active just in case if no loginshell was 
set in the AD. In my opinion Security feature to prevent users to login 
without loginshell ;-).

I set all Unix-Attributes (RFC2307) in AD e.g.:

     NIS-Domain: SAMDOM
     UID: Chosen by ADUC
     Login-Shell: /bin/tcsh
     Home-Directory: /home/USERNAME
     GID: PRIMARY

For the SUPGroups I am using the member of tab in ADUC.
Mentioned above ALL works on the member server with packaged RPM's and 
NOT on the compiled on mentioned earlier in my mails.

@Volker
If i enter "wbinfo -a USERNAME" I get following output:

     Enter USERNAME's password:
     plaintext password authentication succeeded
     Enter USERNAME's password:
     challenge/response password authentication succeeded

I hope it helps. Thanks guys!

On 16/06/16 08:29, Volker Lendecke wrote:
> On Wed, Jun 15, 2016 at 02:33:22PM +0200, Daniel Thielking wrote:
>> know I have another problem. I compiled samba 4.4.4 on a Centos 7.2
Server
>> no special options for ./configure.
>> Afterwards I followed the article from mentioned below wiki article
below,
>> to join Centos 7.2 as an member server to our existing AD.
>>
>> WIKI Article:
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>> Now, if i type id USERNAME I only get the users UID, GID and only the
GID as
>> the supplementary Group no more groups are showing up. What have I
missed?
> What happens if you do a "wbinfo -a <username>"
successfully first?
>
> Volker
>