samba - Apr 2020 - Group issues on AD DC, membership does not work on some users

Thank you so much for the prompt response and the valuable comments.

We are using a pretty much unmodified Zentyal installation, which in its 
own turn sets everything up for a Samba DC. It might be a good idea for 
us to move away from that, if Zentyal uses an EOL-version of Samba..

You were absolutely right about the sign-in part! Almost all of us work 
from home in these special days, so there are hardly any sign-ons to the 
DC itself. People take their computers home and use cached credentials.

Your questions regarding the smb.conf are really good. Unfortunately, I 
have no clue why Zentyal thought that would be a good idea :) I will 
comment out the lines you've mentioned and see what happens :D

Thank you once again.

Oleg

On 2020-04-22 12:29, Rowland penny via samba wrote:
> On 22/04/2020 10:51, Oleg Blyahher via samba wrote:
>> Hi everyone,
>>
>> I'm running Samba 4.7.6 on Ubuntu 18.04.
>
> Might be an idea to upgrade Samba, 4.7.x is EOL as far as Samba is 
> concerned, you can get later Samba versions here:
>
> http://apt.van-belle.nl/
>
>>
>> I have an issue with adding users to groups with samba-tool, not 
>> really sure where to look for more info. samba -i didn't show 
>> anything at all.
>>
>> This is what I do:
>>
>> *samba-tool group add new-group**
>> **samba-tool group addmembers new-group my-user*
>>
>> if I run *id my-user *or *groups my-user*, then the group *new-group 
>> *does not appear there. It does, however, appear if I check in LDAP 
>> (samba-tool user edit my-user).
> Sounds like the affected user isn't logged in, you can only be sure of 
> getting a correct list of a users groups if the user is logged in.
>>
>> This becomes a problem when I set ACLs in a domain-joined file share 
>> server - users who are members of certain groups cannot access files 
>> and folders belonging to the groups they are a part of.
> If the 'domain-joined file share server' is a Unix computer, then 
> possibly 'samba-tool group add new-group' isn't sufficient, the
group
> will not have a gidNumber attribute and if the 'idmap config'
DOMAIN
> backend is 'ad', then the group will be ignored.
>>
>> I can also add that this server used to be a a non-DC Samba server, 
>> and that the GIDs go first between 1000-1027 (the oldest ones) and 
>> then between 5888-6012.
> This shouldn't be a problem unless the 'idmap config' DOMAIN
range
> isn't something like '1000-7000'.
>>
>> The strange thing is that it only occurs to some users - most don't
>> have that issue at all. I've tried adding different types of users
to
>> different groups, couldn't really find any pattern. Many times the 
>> domain-joined server gives a more accurate output of *id* *user *than 
>> the DC - a user might be in a group, but the DC won't show it,
while
>> a server joined to the DC actually will.
> Probably because the user is logged in.
>>
>> Here is my smb.conf:
>
> Just a few comments ;-)
>
> server role check:inhibit = yes
>
> Why ? the only reason could be if you are trying to run the 'nmbd' 
> daemon and you must not that on a DC.
>
> dsdb:schema update allowed = yes
>
> Again, why? do you update your schema on a regular basis ??
>
> ?winbind enum users = yes
> ?winbind enum groups = yes
>
> All those do is potentially slow things down.
>
> map to guest = Bad User
>
> On a DC, the authentication centre ?
>
> Rowland
>
>
>

Sorry for the spam, just have another question here.
> If the 'domain-joined file share server' is a Unix computer, then 
> possibly 'samba-tool group add new-group' isn't sufficient, the
group
> will not have a gidNumber attribute and if the 'idmap config'
DOMAIN
> backend is 'ad', then the group will be ignored. 
What is the full/correct way to add a group then? The domain-joined 
fileserver is a Unix machine (Debian 9) with Samba 4.5.16. These are the 
*idmap*-relevant parts from the smb.conf on it:

idmap config * : backend = tdb idmap config * : range = 3000-7999


idmap config DOMAIN: backend = rfc2307 idmap config DOMAIN: range = 
10000-999999999 idmap config DOMAIN: ldap_server = ad idmap config 
DOMAIN: unix_nss_info = yes


This guide in the wiki 
(https://wiki.samba.org/index.php/User_and_Group_management) doesn't say 
much more than *samba tool group add groupname*.

All the best,

Oleg

On 22/04/2020 11:59, Oleg Blyahher via samba wrote:
> Sorry for the spam, just have another question here.
>
>> If the 'domain-joined file share server' is a Unix computer,
then
>> possibly 'samba-tool group add new-group' isn't sufficient,
the group
>> will not have a gidNumber attribute and if the 'idmap config'
DOMAIN
>> backend is 'ad', then the group will be ignored. 
>
> What is the full/correct way to add a group then? 
If you are creating a group that must be visible on Unix, then you must 
add the Unix attributes e.g.

samba-tool group add Group3 --nis-domain=samdom --gid-number=12345

Where: 'Group3' is the groupname, 'samdom' is your lowercase
workgroup
name and '12345' is the next available gidNumber.
> The domain-joined fileserver is a Unix machine (Debian 9) with Samba 
> 4.5.16.
I would upgrade as soon as possible to Buster and then use Louis repo 
(the one I pointed to earlier).
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
The '*' domain is for the 'Well Known SIDS' and anything outside
the domain.
> idmap config DOMAIN: backend = rfc2307
> idmap config DOMAIN: range = 10000-999999999
> idmap config DOMAIN: ldap_server = ad
> idmap config DOMAIN: unix_nss_info = yes
Based on the above and what you posted earlier, this will be better:

idmap config DOMAIN: backend = ad
idmap config DOMAIN: range = 1000-999999999
idmap config DOMAIN: schema_mode = rfc2307
idmap config DOMAIN: unix_nss_info = yes
>
> This guide in the wiki 
> (https://wiki.samba.org/index.php/User_and_Group_management) doesn't 
> say much more than *samba tool group add groupname*.
I have updated the wikipage.

Rowland