Oleg Blyahher
2020-Apr-22 10:48 UTC
[Samba] Group issues on AD DC, membership does not work on some users
Thank you so much for the prompt response and the valuable comments. We are using a pretty much unmodified Zentyal installation, which in its own turn sets everything up for a Samba DC. It might be a good idea for us to move away from that, if Zentyal uses an EOL-version of Samba.. You were absolutely right about the sign-in part! Almost all of us work from home in these special days, so there are hardly any sign-ons to the DC itself. People take their computers home and use cached credentials. Your questions regarding the smb.conf are really good. Unfortunately, I have no clue why Zentyal thought that would be a good idea :) I will comment out the lines you've mentioned and see what happens :D Thank you once again. Oleg On 2020-04-22 12:29, Rowland penny via samba wrote:> On 22/04/2020 10:51, Oleg Blyahher via samba wrote: >> Hi everyone, >> >> I'm running Samba 4.7.6 on Ubuntu 18.04. > > Might be an idea to upgrade Samba, 4.7.x is EOL as far as Samba is > concerned, you can get later Samba versions here: > > http://apt.van-belle.nl/ > >> >> I have an issue with adding users to groups with samba-tool, not >> really sure where to look for more info. samba -i didn't show >> anything at all. >> >> This is what I do: >> >> *samba-tool group add new-group** >> **samba-tool group addmembers new-group my-user* >> >> if I run *id my-user *or *groups my-user*, then the group *new-group >> *does not appear there. It does, however, appear if I check in LDAP >> (samba-tool user edit my-user). > Sounds like the affected user isn't logged in, you can only be sure of > getting a correct list of a users groups if the user is logged in. >> >> This becomes a problem when I set ACLs in a domain-joined file share >> server - users who are members of certain groups cannot access files >> and folders belonging to the groups they are a part of. > If the 'domain-joined file share server' is a Unix computer, then > possibly 'samba-tool group add new-group' isn't sufficient, the group > will not have a gidNumber attribute and if the 'idmap config' DOMAIN > backend is 'ad', then the group will be ignored. >> >> I can also add that this server used to be a a non-DC Samba server, >> and that the GIDs go first between 1000-1027 (the oldest ones) and >> then between 5888-6012. > This shouldn't be a problem unless the 'idmap config' DOMAIN range > isn't something like '1000-7000'. >> >> The strange thing is that it only occurs to some users - most don't >> have that issue at all. I've tried adding different types of users to >> different groups, couldn't really find any pattern. Many times the >> domain-joined server gives a more accurate output of *id* *user *than >> the DC - a user might be in a group, but the DC won't show it, while >> a server joined to the DC actually will. > Probably because the user is logged in. >> >> Here is my smb.conf: > > Just a few comments ;-) > > server role check:inhibit = yes > > Why ? the only reason could be if you are trying to run the 'nmbd' > daemon and you must not that on a DC. > > dsdb:schema update allowed = yes > > Again, why? do you update your schema on a regular basis ?? > > ?winbind enum users = yes > ?winbind enum groups = yes > > All those do is potentially slow things down. > > map to guest = Bad User > > On a DC, the authentication centre ? > > Rowland > > >
Oleg Blyahher
2020-Apr-22 10:59 UTC
[Samba] Group issues on AD DC, membership does not work on some users
Sorry for the spam, just have another question here.> If the 'domain-joined file share server' is a Unix computer, then > possibly 'samba-tool group add new-group' isn't sufficient, the group > will not have a gidNumber attribute and if the 'idmap config' DOMAIN > backend is 'ad', then the group will be ignored.What is the full/correct way to add a group then? The domain-joined fileserver is a Unix machine (Debian 9) with Samba 4.5.16. These are the *idmap*-relevant parts from the smb.conf on it: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOMAIN: backend = rfc2307 idmap config DOMAIN: range = 10000-999999999 idmap config DOMAIN: ldap_server = ad idmap config DOMAIN: unix_nss_info = yes This guide in the wiki (https://wiki.samba.org/index.php/User_and_Group_management) doesn't say much more than *samba tool group add groupname*. All the best, Oleg
Rowland penny
2020-Apr-22 11:22 UTC
[Samba] Group issues on AD DC, membership does not work on some users
On 22/04/2020 11:59, Oleg Blyahher via samba wrote:> Sorry for the spam, just have another question here. > >> If the 'domain-joined file share server' is a Unix computer, then >> possibly 'samba-tool group add new-group' isn't sufficient, the group >> will not have a gidNumber attribute and if the 'idmap config' DOMAIN >> backend is 'ad', then the group will be ignored. > > What is the full/correct way to add a group then?If you are creating a group that must be visible on Unix, then you must add the Unix attributes e.g. samba-tool group add Group3 --nis-domain=samdom --gid-number=12345 Where: 'Group3' is the groupname, 'samdom' is your lowercase workgroup name and '12345' is the next available gidNumber.> The domain-joined fileserver is a Unix machine (Debian 9) with Samba > 4.5.16.I would upgrade as soon as possible to Buster and then use Louis repo (the one I pointed to earlier).> idmap config * : backend = tdb > idmap config * : range = 3000-7999The '*' domain is for the 'Well Known SIDS' and anything outside the domain.> idmap config DOMAIN: backend = rfc2307 > idmap config DOMAIN: range = 10000-999999999 > idmap config DOMAIN: ldap_server = ad > idmap config DOMAIN: unix_nss_info = yesBased on the above and what you posted earlier, this will be better: idmap config DOMAIN: backend = ad idmap config DOMAIN: range = 1000-999999999 idmap config DOMAIN: schema_mode = rfc2307 idmap config DOMAIN: unix_nss_info = yes> > This guide in the wiki > (https://wiki.samba.org/index.php/User_and_Group_management) doesn't > say much more than *samba tool group add groupname*.I have updated the wikipage. Rowland