basti.mueller31 at web.de
2018-Oct-08 15:08 UTC
[Samba] missing group affiliation on ad dc
Hi,
I've a strange problem. I migrated my NT4 PDC to a ad on my debian stretch
(samba version is 4.5.12).
The Domain Controller has some shares for my users.
One user just told me he can't access the share...before the migration he
was able to access the share btw! So I checked the ACL's of this share.
Its:
root at server:~# getfacl /media/exampleshare
# file: media/exampleshare
# owner: EXAMPLE\134fileadmin
# group: EXAMPLE\134mitarbeiter
user::rwx
group::---
group:BUILTIN\134administrators:rwx
group:EXAMPLE\134sharegroup:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:EXAMPLE\134sharegroup:rwx
default:mask::rwx
default:other::---
After this I did a "groups exampleuser" on my domain controller:
root at server:~# groups exampleuser
exampleuser : EXAMPLE\domain users EXAMPLE\remotedesktop EXAMPLE\mitarbeiter
but there is no "EXAMPLE\sharegroup"....so everything make sense..
anyway.. if I do a "samba-tool group listmembers sharegroup" on my
domain controller I see the user in this list! >.<
If I just run RSAT Active Directory User and Computers I see it too! The user is
member of the sharegroup.
My domain controller smb.conf
[global]
netbios name = PDC
realm = EXAMPLE.COM
workgroup = EXAMPLE
server role = active directory domain controller
bind interfaces only = yes
interfaces = br0
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir= /home/%U
dns forwarder = 8.8.8.8
ldap server require strong auth = no
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind offline logon = yes
allow dns updates = nonsecure and secure
log file = /var/log/samba/%m.log
max log size = 10000
log level = 1
Any ideas whats the problem?
On Mon, 8 Oct 2018 17:08:05 +0200 basti mueller via samba <samba at lists.samba.org> wrote:> Hi, > > I've a strange problem. I migrated my NT4 PDC to a ad on my debian > stretch (samba version is 4.5.12). > > The Domain Controller has some shares for my users. > > One user just told me he can't access the share...before the > migration he was able to access the share btw! So I checked the ACL's > of this share. > > Its: > root at server:~# getfacl /media/exampleshare > # file: media/exampleshare > # owner: EXAMPLE\134fileadmin > # group: EXAMPLE\134mitarbeiter > user::rwx > group::--- > group:BUILTIN\134administrators:rwx > group:EXAMPLE\134sharegroup:rwx > mask::rwx > other::--- > default:user::rwx > default:group::--- > default:group:EXAMPLE\134sharegroup:rwx > default:mask::rwx > default:other::--- > > > After this I did a "groups exampleuser" on my domain controller: > root at server:~# groups exampleuser > exampleuser : EXAMPLE\domain users EXAMPLE\remotedesktop > EXAMPLE\mitarbeiter > > but there is no "EXAMPLE\sharegroup"....so everything make sense..You cannot rely on the output of 'groups' etc unless the user has logged in.> > anyway.. if I do a "samba-tool group listmembers sharegroup" on my > domain controller I see the user in this list! >.< If I just run RSAT > Active Directory User and Computers I see it too! The user is member > of the sharegroup.Then the user is a member of 'sharegroup', the samba-tool command searches AD for 'memberOf' attributes containing the DN of the group and then prints the samAccountName from the 'memberOf' attributes. Rowland