samba - Aug 2017 - AD Group update lag / cache, firewall related?

August 25, 2017 3:12 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Fri, 25 Aug 2017 13:54:21 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> It's not offline.... and groups do usually filter through...
>> sometimes immediately, sometimes never... but usually with a
>> significant delay...
>> 
>> I originally put this down to the ancient version of Samba or Winbind
>> that was shipped with the OS, but it seems I was wrong...
>> 
>> Winbind can see the group, and even the group membership... and the
>> group is passed on to the OS, but not the group membership.
>> 
>> eg:-
>> 
>> wbinfo -g user | grep group <-- successful
>> 
>> getent group group <-- successful
>> 
>> however
>> 
>> groups user | grep group <-- fails
>> 
>> I was wondering if there's a limit on the number of groups, since
the
>> new machine using "groups", shows that the user has 128
groups, while
>> a machine that's been around for a while shows 156 groups... and
>> another machine that's local to the AD controller shows 174 groups.
> 
> Hmm, try reading this:
> 
> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed
> 
> Under 'Samba 4.6.0' --> winbind changes
> 
> Does 'groups user' show any groups ?
> 
Yes, however I have 4 servers and they each show a different number of groups,
128, 154, 169 and 174...

# for i in `groups user`; do echo $i; done | wc -l

The Samba 4.6 box shows 128, which makes me think perhaps there is a limit to
the number of groups that are processed somewhere... 128 being a suspicious
number!..... but that's a pure guess!.
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

It seems maximum groups per user was 32 until 2.6.3 kernel. Then it is not
clear for same limit on recent kernel.
https://askubuntu.com/questions/300049/is-there-a-maximum-number-of-groups


2017-08-25 16:58 GMT+02:00 A. James Lewis via samba <samba at
lists.samba.org>:
> August 25, 2017 3:12 PM, "Rowland Penny via samba" <samba at
lists.samba.org>
> wrote:
>
> > On Fri, 25 Aug 2017 13:54:21 +0000
> > "A. James Lewis" <james at fsck.co.uk> wrote:
> >
> >> It's not offline.... and groups do usually filter through...
> >> sometimes immediately, sometimes never... but usually with a
> >> significant delay...
> >>
> >> I originally put this down to the ancient version of Samba or
Winbind
> >> that was shipped with the OS, but it seems I was wrong...
> >>
> >> Winbind can see the group, and even the group membership... and
the
> >> group is passed on to the OS, but not the group membership.
> >>
> >> eg:-
> >>
> >> wbinfo -g user | grep group <-- successful
> >>
> >> getent group group <-- successful
> >>
> >> however
> >>
> >> groups user | grep group <-- fails
> >>
> >> I was wondering if there's a limit on the number of groups,
since the
> >> new machine using "groups", shows that the user has 128
groups, while
> >> a machine that's been around for a while shows 156 groups...
and
> >> another machine that's local to the AD controller shows 174
groups.
> >
> > Hmm, try reading this:
> >
> > https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed
> >
> > Under 'Samba 4.6.0' --> winbind changes
> >
> > Does 'groups user' show any groups ?
> >
>
> Yes, however I have 4 servers and they each show a different number of
> groups, 128, 154, 169 and 174...
>
> # for i in `groups user`; do echo $i; done | wc -l
>
> The Samba 4.6 box shows 128, which makes me think perhaps there is a limit
> to the number of groups that are processed somewhere... 128 being a
> suspicious number!..... but that's a pure guess!.
>
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> --
> A. James Lewis (james at fsck.co.uk)
> "Engineering does not require science. Science helps a lot but people
> built perfectly good brick walls long before they knew why cement
works."
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

That seems to count out the kernel ... I guess the 128 number could be a
co-incidence...

Actually I made a mistake below... 

I used "wbinfo -g user", where I should have used "wbinfo -r
user".....

In fact wbinfo fails to show the group membership I expect... where I said
before that it succeeded.

wbinfo shows that the group exists, but not that the user is a member of it....

for i in `wbinfo -r fred`; do getent group $i | grep $i; done | grep
problem-group

Other groups are visible using that command.

James
.



August 25, 2017 4:25 PM, "mathias dufresne via samba" <samba at
lists.samba.org> wrote:
> It seems maximum groups per user was 32 until 2.6.3 kernel. Then it is not
> clear for same limit on recent kernel.
> https://askubuntu.com/questions/300049/is-there-a-maximum-number-of-groups
> 
> 2017-08-25 16:58 GMT+02:00 A. James Lewis via samba <samba at
lists.samba.org>:
> 
>> August 25, 2017 3:12 PM, "Rowland Penny via samba" <samba
at lists.samba.org>
>> wrote:
>> 
>> On Fri, 25 Aug 2017 13:54:21 +0000
>> "A. James Lewis" <james at fsck.co.uk> wrote:
>> 
>> It's not offline.... and groups do usually filter through...
>> sometimes immediately, sometimes never... but usually with a
>> significant delay...
>> 
>> I originally put this down to the ancient version of Samba or Winbind
>> that was shipped with the OS, but it seems I was wrong...
>> 
>> Winbind can see the group, and even the group membership... and the
>> group is passed on to the OS, but not the group membership.
>> 
>> eg:-
>> 
>> wbinfo -g user | grep group <-- successful
>> 
>> getent group group <-- successful
>> 
>> however
>> 
>> groups user | grep group <-- fails
>> 
>> I was wondering if there's a limit on the number of groups, since
the
>> new machine using "groups", shows that the user has 128
groups, while
>> a machine that's been around for a while shows 156 groups... and
>> another machine that's local to the AD controller shows 174 groups.
>> 
>> Hmm, try reading this:
>> 
>> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed
>> 
>> Under 'Samba 4.6.0' --> winbind changes
>> 
>> Does 'groups user' show any groups ?
>> 
>> Yes, however I have 4 servers and they each show a different number of
>> groups, 128, 154, 169 and 174...
>> 
>> # for i in `groups user`; do echo $i; done | wc -l
>> 
>> The Samba 4.6 box shows 128, which makes me think perhaps there is a
limit
>> to the number of groups that are processed somewhere... 128 being a
>> suspicious number!..... but that's a pure guess!.
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot but
people
>> built perfectly good brick walls long before they knew why cement
works."
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Fri, 25 Aug 2017 16:00:28 +0000
"A. James Lewis via samba" <samba at lists.samba.org> wrote:
> That seems to count out the kernel ... I guess the 128 number could
> be a co-incidence... 
> 
> Actually I made a mistake below... 
> 
> I used "wbinfo -g user", where I should have used "wbinfo -r
> user"..... 
> 
> In fact wbinfo fails to show the group membership I expect... where I
> said before that it succeeded.
> 
> wbinfo shows that the group exists, but not that the user is a member
> of it....
> 
> for i in `wbinfo -r fred`; do getent group $i | grep $i; done | grep
> problem-group
> 
> Other groups are visible using that command.
> 
What does:

wbinfo -n problem-group | awk '{print $1}' | awk -F '-'
'{print $8}'

Produce ?

Rowland

# wbinfo -n working-group | awk '{print $1}' | awk -F '-'
'{print $8}'
69153

# wbinfo -n problem-group | awk '{print $1}' | awk -F '-'
'{print $8}'
136399

The OS can use that group:-

# chgrp problem-group test.txt 
# ls -asl test.txt 
0 -rw-r--r-- 1 root problem-group 0 Aug 25 17:55 test.txt
#

It's not a case that the group is unavailable... it is that the users group
membership is incomplete:-

server02:/tmp # for i in `wbinfo -r joeuser`; do getent group $i; done | wc -l
119

server01:/tmp # for i in `wbinfo -r joeuser`; do getent group $i; done | wc -l
155

I must admit that I expected that upgrading from Samba 3.6 to 4.6 would resolve
this, but it did not!... and since a similarly configured server which is on the
same LAN as the AD controller does not have this issue... while these servers
are firewalled from the AD controller... I'm lead to believe that some of
the needed chatter between the AD controller and the server is blocked... but
I'm slightly at a loss to find out what.

James



August 25, 2017 5:26 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Fri, 25 Aug 2017 16:00:28 +0000
> "A. James Lewis via samba" <samba at lists.samba.org>
wrote:
> 
>> That seems to count out the kernel ... I guess the 128 number could
>> be a co-incidence...
>> 
>> Actually I made a mistake below...
>> 
>> I used "wbinfo -g user", where I should have used
"wbinfo -r
>> user".....
>> 
>> In fact wbinfo fails to show the group membership I expect... where I
>> said before that it succeeded.
>> 
>> wbinfo shows that the group exists, but not that the user is a member
>> of it....
>> 
>> for i in `wbinfo -r fred`; do getent group $i | grep $i; done | grep
>> problem-group
>> 
>> Other groups are visible using that command.
> 
> What does:
> 
> wbinfo -n problem-group | awk '{print $1}' | awk -F '-'
'{print $8}'
> 
> Produce ?
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."