Hi Rowland, The issue seems to be due to the groups who decided not to show up in AD. Strangely, even when we added the group with the same name in the AD, it didn't resolv the issue. Even though smb.conf dictates that the user have to a member of a group with that name. Using getent group, we can see the group. Does Samba hold on to the SID of the group somehow? Is there a way to get those lost groups in AD;) Regards, Praveen Ghimire -------- Original message -------- From: Rowland Penny via samba <samba at lists.samba.org> Date: 12/04/2018 9:21 PM (GMT+10:00) To: samba at lists.samba.org Subject: Re: [Samba] Issues post AD migration On Thu, 12 Apr 2018 10:48:04 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > I added the following, reloaded the samba configs, joined the member > server to the AD domain again > > [global] > netbios name = FS01 > security = ADS > workgroup = TESTDOM > realm = TESTDOM.GROUP > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > idmap config TESTDOM:backend = ad > idmap config TESTDOM:schema_mode = rfc2307 > idmap config TESTDOM:range = 10000-999999 > > > I get the following > create_connection_session_info failed: NT_STATUS_ACCESS_DENIED > [2018/04/12 20:20:34.389732, 0] > passdb/lookup_sid.c:1684(get_primary_group_sid) Failed to find a Unix > account for peteruser 'TESTDOM\pghimire' (from session setup) not > permitted to access this share (data) > > > Just to confirm getent is working > getent group gives me all the groups in AD DC > > allowed rodc password replication group:x:3012: > enterprise read-only domain controllers:x:3013: > denied rodc password replication group:x:3008:krbtgt > read-only domain controllers:x:3014: > group policy creator owners:x:3007:administrator > ras and ias servers:x:3015: > domain controllers:x:3016: > enterprise admins:x:3009:administrator > > >Hmm, where is 'Domain Users' and the groups are (rightly) being mapped to the '*' domain. Does 'Domain Users' have a 'gidNumber' attribute containing a number inside the '10000-999999' range ? Do your users have a 'uidNumber' attribute containing a unique number inside the same range ? What version of Samba are you using ? If it is less than 4.6.0 then you also need this line: winbind nss info = rfc2307>From 4.6.0 it is replaced by:idmap config TESTDOM : unix_nss_info Rowland = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On Fri, 13 Apr 2018 09:56:34 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > The issue seems to be due to the groups who decided not to show up in > AD. Strangely, even when we added the group with the same name in the > AD, it didn't resolv the issue. Even though smb.conf dictates that > the user have to a member of a group with that name. Using getent > group, we can see the group. Does Samba hold on to the SID of the > group somehow? > > Is there a way to get those lost groups in AD;)Not sure I fully understand what you are saying here, Are you saying that you have a group in /etc/group but not in AD and you have now added this group to AD ? If so, delete the group in /etc/group and ensure the group in AD has a gidNumber. You will probably have to run 'net cache flush' after making the changes. Rowland
Hi Rowland, The group was in /etc/group and LDAP. Post the AD migration, the group didn’t show up in AD. We then added the group in AD, will check if it has a gid number. If AD doesn’t have gid, can I remove the group /etc/group and assign it the same gid in AD? The group in question was one of many which had the same issue, hence the question about importing missed groups in AD Regards, Praveen Ghimire -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Friday, 13 April 2018 9:24 PM To: samba at lists.samba.org Subject: Re: [Samba] Issues post AD migration On Fri, 13 Apr 2018 09:56:34 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > The issue seems to be due to the groups who decided not to show up in > AD. Strangely, even when we added the group with the same name in the > AD, it didn't resolv the issue. Even though smb.conf dictates that > the user have to a member of a group with that name. Using getent > group, we can see the group. Does Samba hold on to the SID of the > group somehow? > > Is there a way to get those lost groups in AD;)Not sure I fully understand what you are saying here, Are you saying that you have a group in /etc/group but not in AD and you have now added this group to AD ? If so, delete the group in /etc/group and ensure the group in AD has a gidNumber. You will probably have to run 'net cache flush' after making the changes. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________