On 24.01.2020 14:01, Christian wrote:> On 23.01.2020 10:26, L.P.H. van Belle via samba wrote:
>> Hai Christian,
>>
>>>>> Thism, this is just strange, Christian, did you already
>>> run and if not, can you run it and post the ouputs. :
>>>>> net cache flush
>>>>> systemctl stop samba winbind
>>>>> systemctl start samba winbind
>>>>>
>>>>> id some_user
>>>>> getent passwd some_user
>>>>>
>>>>> [..]
>>>> afs1:~# net cache flush
>>>> afs1:~# systemctl stop smbd winbind
>>>> afs1:~# net cache flush
>>>> afs1:~# systemctl start smbd winbind
>>>> afs1:~# id some_user
>>>> uid=10586(some_user) gid=10206(group1)
>>> groups=10206(group2),10513(domain
>>> users),10020(group3),10018(group4),10517(group5),10220(group6)
>>> ,3001(BUILTIN\users)
>>>> afs1:~# getent passwd some_user
>>>> some_user:*:10586:10206:some_user
name:/home/some_user:/bin/bash
>>> Follow-up:
>>>
>>> getent group some_group reports some_user as a member.... Thanks
for
>>> looking into this,
>>>
>>> Christian
>>>
>> Hm, that makes it even stranger.
>> So.. Resume.
>>
>> id some_user
>> uid=10586(some_user) gid=10206(group1)
groups=10206(group2),10513(domain
users),10020(group3),10018(group4),10517(group5),10220(group6),3001(BUILTIN\users)
>>
>> getent passwd some_user
>> some_user:*:10586:10206:some_user name:/home/some_user:/bin/bash
>>
>> getent group some_group
>> Reports some_user as a member.
>>
>> So im wondering.
>> Can you check : getent group some_group on a domain member and on a
AD-DC.
>
> The output of getent group some_group? on the AD DC looks good.
>
> I am starting to see a pattern though. I wrote this script:
>
> #!/bin/bash
> IFS=$'\n'
> for group in $(wbinfo -g) ; do
> ? if getent group "$group" >/dev/null 2>&1 ; then
> ??? unset IFS
> ??? for user in $(members "$group") ; do
> ????? if ! groups "$user" 2>/dev/null | cut -f 2 -d : | grep
" $group"
>> /dev/null 2>&1 ; then
> ??????? if getent passwd "$user" >/dev/null 2>&1 ; then
> ????????? echo "Issue with $group:$user"
> ??????? fi
> ????? fi
> ??? done
> ? fi
> done
>
> The script should report users whose group membership according to
> getent group is not affected in the groups <user> command.
>
> It does not report any issue on those domain members that run the
> standard debian buster distribution packages (4.9.5+dfsg-5+deb10u1). For
> those systems that run Louis' 4.10.11+dfsg-0.1buster1 packages, the
> above script reports problems with some group memberships of users. The
> affected ones vary from system to system, and on each system, the issue
> survives net cache flush with the same group memberships being affected
> before and after. Our two dcs also run 4.10.11+dfsg-0.1buster1...
>
> Does that help? Should I try to downgrade one of the members where this
> issue appears to the standard debian packages and see if it goes away?
Best,
>
> Christian
Dear all,
the problem seems to persist. Even if I downgrade samba to the standard
debian packages. To summarize:
On this particular computer running debian buster (4.9.5) and the
standard debian packages, some_user is a member of some_group according
to getent passwd some_group. But as the user logs in, some_group does
not appear in the output of the id command. Even net cache flush does
not heal this.
This also occurs for a number of other users and other groups. Out of
our ~500 users, ca. 10 group memberships are not properly reflected.
I have this problem on one other computer, but the list of group
memberships affected on that machine is different, but also of order 10.
Do folks have further tips on how to debug this? Thanks,
Christian