We have an issue where new groups that are created in Active Directory are not visible in Samba. Groups that were created more than about one month ago are visible. We?re using clustered Sernet 4.3.9 with winbind (with ID mapping) and CTDB. NSCD is not running. We?ve tried restarting Samba, but still have the issue. The OS is RHEL 6.7 and the kernel is 2.6.32.
On 16/10/2019 16:24, Bill Riner via samba wrote:> We have an issue where new groups that are created in Active Directory are not visible in Samba. Groups that were created more than about one month ago are visible. We?re using clustered Sernet 4.3.9 with winbind (with ID mapping) and CTDB. NSCD is not running. We?ve tried restarting Samba, but still have the issue. The OS is RHEL 6.7 and the kernel is 2.6.32.Please post your smb.conf. Rowland
On 16/10/2019 17:33, Greg Newton wrote:> whyBecause even though the OP says they are using id mapping, they don't say what sort. Having said that, 4.3.9 is very old and isn't supported by Samba any more, there have also been a lot of CTDB changes since 4.3.9 was released. Finally, because saying it doesn't work (which is what the OP basically said) isn't enough info. Rowland
On 10/16/19 5:24 PM, Bill Riner via samba wrote:> We have an issue where new groups that are created in Active Directory are not visible in Samba. Groups that were created more than about one month ago are visible. We?re using clustered Sernet 4.3.9 with winbind (with ID mapping) and CTDB. NSCD is not running. We?ve tried restarting Samba, but still have the issue. The OS is RHEL 6.7 and the kernel is 2.6.32.group membership get cached based on (SMB) user logins. Re-login and you'll see the current groups. YOu can simulate an SMB login with wbinfo -a. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
On 10/16/19 8:10 PM, Bill Riner wrote:> I am logged in as root to one of the clustered Samba servers. Normally when a group is added to AD, it shows up using > > # getent -s winbind group {group_name} > > In this case, the group Drug_Discovery_Team_Meetings exists in AD, but I don?t see it using getent.re-login that user over SMB. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
On 16/10/2019 19:37, Ralph Boehme via samba wrote:> On 10/16/19 8:10 PM, Bill Riner wrote: >> I am logged in as root to one of the clustered Samba servers. Normally when a group is added to AD, it shows up using >> >> # getent -s winbind group {group_name} >> >> In this case, the group Drug_Discovery_Team_Meetings exists in AD, but I don?t see it using getent. > re-login that user over SMB. > > > -slow >I do not think that will help, root may be able to login over SMB and should be able to use getent to display the groups info. The OP states that idmap is working, but, until he posts his smb.conf, we do not know if it is working correctly and what winbind backend he is using, this could have a bearing. Rowland
[global] workgroup = VANDERBILT netbios name = mako-smb realm = DS.VANDERBILT.EDU security = ads encrypt passwords = yes allow trusted domains = No idmap config *:backend = tdb idmap config *:range = 4000000 - 5000000 idmap config VANDERBILT : backend = rid idmap config VANDERBILT : range = 5000001 - 9000000 template shell = /bin/bash template homedir = /home/%U winbind offline logon = false #winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = no winbind enum groups = no winbind expand groups = 3 server string = DORS SMB log level = 2 log file = /var/log/samba/log.%m max log size = 10000 passdb backend = tdbsam clustering = yes unix extensions = yes> On Oct 16, 2019, at 10:24 AM, Bill Riner <bill.riner at gmail.com> wrote: > > We have an issue where new groups that are created in Active Directory are not visible in Samba. Groups that were created more than about one month ago are visible. We?re using clustered Sernet 4.3.9 with winbind (with ID mapping) and CTDB. NSCD is not running. We?ve tried restarting Samba, but still have the issue. The OS is RHEL 6.7 and the kernel is 2.6.32.
On 16/10/2019 21:26, Bill Riner via samba wrote:> [global] > workgroup = VANDERBILT > netbios name = mako-smb > realm = DS.VANDERBILT.EDU > security = ads > encrypt passwords = yes > allow trusted domains = No > idmap config *:backend = tdb > idmap config *:range = 4000000 - 5000000 > idmap config VANDERBILT : backend = rid > idmap config VANDERBILT : range = 5000001 - 9000000 > template shell = /bin/bash > template homedir = /home/%U > winbind offline logon = false > #winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = no > winbind enum groups = no > winbind expand groups = 3 > server string = DORS SMB > log level = 2 > log file = /var/log/samba/log.%m > max log size = 10000 > passdb backend = tdbsam > clustering = yes > unix extensions = yes > > >> On Oct 16, 2019, at 10:24 AM, Bill Riner <bill.riner at gmail.com> wrote: >> >> We have an issue where new groups that are created in Active Directory are not visible in Samba. Groups that were created more than about one month ago are visible. We?re using clustered Sernet 4.3.9 with winbind (with ID mapping) and CTDB. NSCD is not running. We?ve tried restarting Samba, but still have the issue. The OS is RHEL 6.7 and the kernel is 2.6.32.There is nothing wrong with your smb.conf, your new group should be allocated a GID and be visible. Restarting Samba should wipe the caches and these should get rebuilt when Samba connects to AD, so they should become visible. When you say 'not visible', what do you actually mean ? Does 'getent group {group name}' work Rowland
No, the new groups don?t show up using ?getent group {group_name}?.
> On Oct 16, 2019, at 3:26 PM, Bill Riner <bill.riner at gmail.com>
wrote:
>
> [global]
> workgroup = VANDERBILT
> netbios name = mako-smb
> realm = DS.VANDERBILT.EDU <http://ds.vanderbilt.edu/>
> security = ads
> encrypt passwords = yes
> allow trusted domains = No
> idmap config *:backend = tdb
> idmap config *:range = 4000000 - 5000000
> idmap config VANDERBILT : backend = rid
> idmap config VANDERBILT : range = 5000001 - 9000000
> template shell = /bin/bash
> template homedir = /home/%U
> winbind offline logon = false
> #winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = no
> winbind enum groups = no
> winbind expand groups = 3
> server string = DORS SMB
> log level = 2
> log file = /var/log/samba/log.%m
> max log size = 10000
> passdb backend = tdbsam
> clustering = yes
> unix extensions = yes
>
>
>> On Oct 16, 2019, at 10:24 AM, Bill Riner <bill.riner at gmail.com
<mailto:bill.riner at gmail.com>> wrote:
>>
>> We have an issue where new groups that are created in Active Directory
are not visible in Samba. Groups that were created more than about one month
ago are visible. We?re using clustered Sernet 4.3.9 with winbind (with ID
mapping) and CTDB. NSCD is not running. We?ve tried restarting Samba, but
still have the issue. The OS is RHEL 6.7 and the kernel is 2.6.32.
>