On Tue, 20 Mar 2018 11:02:46 +0100
Oliver Werner via samba <samba at lists.samba.org> wrote:
> Hello everybody,
>
> we have an issue with our samba instance of ad member as fileserver
>
> when i add an user to a group it will adding the user without
> problems.
>
> i can verify on our two domain controller that the user is in the
> group with wbinfo -r <user>
>
> Now when i will check it on the member (fileserver) the user will not
> in the group.
>
> Anyone has an idea what we’ve misconfigured?
>
>
> Our DCs and Member running on Samba 4.7.6
>
> Here is the configuration of our fileserver
>
> winbind trusted domains only = no
You don't need the above, it is the default
> winbind enum users = yes
> winbind enum groups = yes
You do not need the above two lines, they only do two things:
One: make 'getent passwd' & 'getent group' show lists of
Domain users &
groups.
Two: Slow things down if you have a lot of users & groups.
'getent' will work without them.
> winbind cache time = 300
You don't really need the above, it is the default
> # idmap config for domain HQ
> idmap config HQ:backend = ad
> idmap config HQ:schema_mode = rfc2307
> idmap config HQ:range = 1024-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
Things changed with the release of 4.6.0, you should replace 'winbind
nss info = rfc2307' with:
idmap config HQ:unix_nss_info = yes
See here for more info:
https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_primary_group_and_nss_info
You might want to also read the paragraph above it:
https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes
It explains the reason for your problem.
Rowland