samba - Oct 2018 - missing group affiliation on ad dc

Hi Rowland,
>> Hi,
>>
>> I've a strange problem. I migrated my NT4 PDC to a ad on my debian
>> stretch (samba version is 4.5.12).
>>
>> The Domain Controller has some shares for my users.
>>
>> One user just told me he can't access the share...before the
>> migration he was able to access the share btw! So I checked the
ACL's
>> of this share.
>>
>> Its:
>> root at server:~# getfacl /media/exampleshare
>> # file: media/exampleshare
>> # owner: EXAMPLE\134fileadmin
>> # group: EXAMPLE\134mitarbeiter
>> user::rwx
>> group::---
>> group:BUILTIN\134administrators:rwx
>> group:EXAMPLE\134sharegroup:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:group::---
>> default:group:EXAMPLE\134sharegroup:rwx
>> default:mask::rwx
>> default:other::---
>>
>>
>> After this I did a "groups exampleuser" on my domain
controller:
>> root at server:~# groups exampleuser
>> exampleuser : EXAMPLE\domain users EXAMPLE\remotedesktop
>> EXAMPLE\mitarbeiter
>>
>> but there is no "EXAMPLE\sharegroup"....so everything make
sense..
> You cannot rely on the output of 'groups' etc unless the user has
> logged in.
>>
>> anyway.. if I do a "samba-tool group listmembers sharegroup"
on my
>> domain controller I see the user in this list! >.< If I just run
RSAT
>> Active Directory User and Computers I see it too! The user is member
>> of the sharegroup.
> Then the user is a member of 'sharegroup', the samba-tool command
> searches AD for 'memberOf' attributes containing the DN of the
group
> and then prints the samAccountName from the 'memberOf' attributes.
It seems like not because the user can't access the nfs3-share because of
permission. Anything else I could check?

On Mon, 8 Oct 2018 18:31:40 +0200
basti mueller via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> >> Hi,
> >>
> >> I've a strange problem. I migrated my NT4 PDC to a ad on my
debian
> >> stretch (samba version is 4.5.12).
> >>
> >> The Domain Controller has some shares for my users.
> >>
> >> One user just told me he can't access the share...before the
> >> migration he was able to access the share btw! So I checked the
> >> ACL's of this share.
> >>
> >> Its:
> >> root at server:~# getfacl /media/exampleshare
> >> # file: media/exampleshare
> >> # owner: EXAMPLE\134fileadmin
> >> # group: EXAMPLE\134mitarbeiter
> >> user::rwx
> >> group::---
> >> group:BUILTIN\134administrators:rwx
> >> group:EXAMPLE\134sharegroup:rwx
> >> mask::rwx
> >> other::---
> >> default:user::rwx
> >> default:group::---
> >> default:group:EXAMPLE\134sharegroup:rwx
> >> default:mask::rwx
> >> default:other::---
> >>
> >>
> It seems like not because the user can't access the nfs3-share
> because of permission. Anything else I could check?
I take it the 'getfacl' output is for the nfs3-share, so if your user
is a member of the 'sharegroup', the user should be able to access the
share, unless something else is blocking it (trying to connect from a
non joined computer, firewall etc)

How are they trying to access the share ?

Rowland

> I take it the 'getfacl' output is for the nfs3-share, so if your
user
> is a member of the 'sharegroup', the user should be able to access
the
> share, unless something else is blocking it (trying to connect from a
> non joined computer, firewall etc)
> How are they trying to access the share ?
I'll try it with a non joined computer.

Strange is that a user with the same groups can access my share! He has the
sharegroup if I do the "groups username" on my
domaincontroller/fileserver.