Matthias Leopold
2019-Feb-01 17:00 UTC
[Samba] group membership inconsistency on AD domain member
Hi,
I've been running a samba server with winbind (CentOS 7) as a member of
an AD Domain (Windows 2012 R2) for several months without a problem.
"Suddenly" I'm seeing the problem that the membership in newly
created
AD groups isn't correctly visible for some users on the samba server or
only after some indefinite amount of time. I'm looking simply at the
output of the 'id' command. This information is always consistent with
the output of 'wbinfo -r', so I don't think it's a NSS problem.
The
"funny" thing is that this doesn't apply to all of the members of
the
newly created group, only for some of them.
On the DC i checked the affected users with the powershell command
"get-aduser $username -Properties memberof | select -expand memberof",
everything is correct.
To my experience the problem goes away after some time (a couple of
hours) for some users, again not all of them. I fiddled with some
winbind options in smb.conf, restarted winbind a couple of times, used
"net cache flush", none of these changed anything. I didn't
restart the
AD or smbd though. Can anybody give me a hint?
thx
matthias
Example (i temporarily set "winbind expand groups = 1" to use
"getent
group", but this doesn't affect the problem):
# getent group 'FOOBAR\testgroup'
FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user01
# wbinfo -r 'FOOBAR\user01' | grep -c 13688
1
# wbinfo -r 'FOOBAR\user01' | grep -c 13688
0
smb.conf:
[global]
load printers = No
log file = /var/log/samba/log.smbd
realm = FOOBAR.DOMAIN.TLD
security = ADS
unix extensions = No
workgroup = FOOBAR
idmap config foobar : range = 10000-999999
idmap config foobar : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
strict sync = No
[exampleshare]
browseable = No
path = /srv/samba01/lv01/exampleshare
read only = No
vfs objects = acl_xattr
Matthias Leopold
2019-Feb-01 17:45 UTC
[Samba] Fwd: group membership inconsistency on AD domain member
OK, I screwed it, please read the example as
# getent group 'FOOBAR\testgroup'
FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user02
# wbinfo -r 'FOOBAR\user01' | grep -c 13688
1
# wbinfo -r 'FOOBAR\user02' | grep -c 13688
0
-------- Weitergeleitete Nachricht --------
Betreff: [Samba] group membership inconsistency on AD domain member
Datum: Fri, 1 Feb 2019 18:00:51 +0100
Von: Matthias Leopold via samba <samba at lists.samba.org>
Antwort an: Matthias Leopold <matthias.leopold at meduniwien.ac.at>
An: samba at lists.samba.org
Hi,
I've been running a samba server with winbind (CentOS 7) as a member of
an AD Domain (Windows 2012 R2) for several months without a problem.
"Suddenly" I'm seeing the problem that the membership in newly
created
AD groups isn't correctly visible for some users on the samba server or
only after some indefinite amount of time. I'm looking simply at the
output of the 'id' command. This information is always consistent with
the output of 'wbinfo -r', so I don't think it's a NSS problem.
The
"funny" thing is that this doesn't apply to all of the members of
the
newly created group, only for some of them.
On the DC i checked the affected users with the powershell command
"get-aduser $username -Properties memberof | select -expand memberof",
everything is correct.
To my experience the problem goes away after some time (a couple of
hours) for some users, again not all of them. I fiddled with some
winbind options in smb.conf, restarted winbind a couple of times, used
"net cache flush", none of these changed anything. I didn't
restart the
AD or smbd though. Can anybody give me a hint?
thx
matthias
Example (i temporarily set "winbind expand groups = 1" to use
"getent
group", but this doesn't affect the problem):
# getent group 'FOOBAR\testgroup'
FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user01
# wbinfo -r 'FOOBAR\user01' | grep -c 13688
1
# wbinfo -r 'FOOBAR\user01' | grep -c 13688
0
smb.conf:
[global]
load printers = No
log file = /var/log/samba/log.smbd
realm = FOOBAR.DOMAIN.TLD
security = ADS
unix extensions = No
workgroup = FOOBAR
idmap config foobar : range = 10000-999999
idmap config foobar : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
strict sync = No
[exampleshare]
browseable = No
path = /srv/samba01/lv01/exampleshare
read only = No
vfs objects = acl_xattr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Matthias Leopold
2019-Feb-04 09:47 UTC
[Samba] group membership inconsistency on AD domain member
"net cache samlogon delete" helped me solve the problem, i didn't know about this command before matthias Am 01.02.19 um 18:00 schrieb Matthias Leopold:> Hi, > > I've been running a samba server with winbind (CentOS 7) as a member of > an AD Domain (Windows 2012 R2) for several months without a problem. > "Suddenly" I'm seeing the problem that the membership in newly created > AD groups isn't correctly visible for some users on the samba server or > only after some indefinite amount of time. I'm looking simply at the > output of the 'id' command. This information is always consistent with > the output of 'wbinfo -r', so I don't think it's a NSS problem. The > "funny" thing is that this doesn't apply to all of the members of the > newly created group, only for some of them. > > On the DC i checked the affected users with the powershell command > "get-aduser $username -Properties memberof | select -expand memberof", > everything is correct. > > To my experience the problem goes away after some time (a couple of > hours) for some users, again not all of them. I fiddled with some > winbind options in smb.conf, restarted winbind a couple of times, used > "net cache flush", none of these changed anything. I didn't restart the > AD or smbd though. Can anybody give me a hint? > > thx > matthias > > Example (i temporarily set "winbind expand groups = 1" to use "getent > group", but this doesn't affect the problem): > > # getent group 'FOOBAR\testgroup' > FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user01 > > # wbinfo -r 'FOOBAR\user01' | grep -c 13688 > 1 > > # wbinfo -r 'FOOBAR\user01' | grep -c 13688 > 0 > > > smb.conf: > > [global] > load printers = No > log file = /var/log/samba/log.smbd > realm = FOOBAR.DOMAIN.TLD > security = ADS > unix extensions = No > workgroup = FOOBAR > idmap config foobar : range = 10000-999999 > idmap config foobar : backend = rid > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > map acl inherit = Yes > store dos attributes = Yes > strict sync = No > > > [exampleshare] > browseable = No > path = /srv/samba01/lv01/exampleshare > read only = No > vfs objects = acl_xattr > > > >-- Matthias Leopold IT Systems & Communications Medizinische Universität Wien Spitalgasse 23 / BT 88 /Ebene 00 A-1090 Wien Tel: +43 1 40160-21241 Fax: +43 1 40160-921200
Possibly Parallel Threads
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- SMB Signing with "map to guest = " options
- IAX to IAX connect question