samba - Feb 2021 - Group membership not updating on one DC only

Hello,

I just asked the user to ssh into DC1. And lo and behold after that he 
has the correct groups.

I let him connect to a fileserver via SMB and it updated the groups 
correctly too. Yay


So it seems like the cache (on a Domain Member and on a DC) only gets 
updated if the user connects to it. net cache flush doesnt seem to do 
anything here. Winbind Offline Logon is enabled. Is this the / a problem?

Is there any command I could run to update the groups without asking the 
user to login to the machine?

Am 24.02.21 um 10:13 schrieb Matthias K?hne | Ellerhold AG via
samba:
> Hello,
>
> it seems like the group memberships isnt updating anymore for a certain
> user in a specific DC. Were using Debian Buster with samba
> 4.13.4+dfsg-0.1buster2 .
>
> We have (atm) 3 DCs in their own AD-Sites: the first DC is in the
> default site ("Default-First-Site-Name"), the second DC and third
are in
> their own sites. Each of them should be responsible for their IP ranges.
>
> Ive just changed the group membership of an user via MS ADUC (connected
> to DC-2). It didnt replicate to DC-1...: 'net cache flush &&
groups
> DOMAIN\\user.name' shows all groups on DC2 and DC3, but on DC1 2 groups
> are missing.
>
> Steps I tried without any changes:
>
>    * Waiting until the next morning (~ 12 hours)
>    * Restarting all DCs one at a time
>    * net cache flush (with or without restarting samba-ad-dc)
>    * Moved all DCs to the default AD-Site
>    * samba-tool dbcheck --cross-ncs --fix --yes on all 3 DCs
>    * samba-tool drs replicate --full-sync --sync-forced DC1 DC2 DC=...
>    * Transferring all FSMO from DC1 to DC2, demoting DC1, apt remove
>      --purge samba on DC1 and a complete reinstall with rejoinen
>
> Even after all of this: the groups of user.name are still the old
> values! DC2 and DC3 show the new membership info.
>
> Some more things I've tried:
>
>    * wbinfo -g shows all Groups correctly
>    * getent group shows all groups correctly (if winbind enum groups is
>      set to Yes)
>    * samba-tool drs uptodateness shows all zeros (and 5 different
>      "Unknown invocation ID XYZ" error messages spammed about)
>    * samba-tool visualize uptodateness -r show all green zeros (same
>      error message as above)
>    * samba-tool drs kcc is successfull on all 3 DCs
>    * samba-tool drs showrepl
>        o Shows 0 consecutive failures
>        o But all outbound connections on DC1 also show "Last attempt @
>          NTTIME(0) was successful" ... this means that no sync has
been
>          done - right?
>        o Inbound connections on DC properly show an up2date time+date
>    * samba-tool ldapcmp ldap://DC2 ldap://DC1
>        o Result for [DOMAIN]: SUCCESS (all other partitions are a success
>          too)
>        o But in [DOMAIN] 7 users are shown as:
>            + LdbError for dn CN=MEIN TESSTNAME,...: (32, 'LDAP error 32
>              LDAP_NO_SUCH_OBJECT -? <acl_read: Error retrieving
>              instanceType for base. at
>              ../../source4/dsdb/samdb/ldb_modules/acl_read.c:939>
<>')
>            + The user is named "Mein Te?tname" in ADUC...
>            + Is this a problem?
>            + The user with the missing groups has no ? in his name
though...
>
> Does anybody have an idea whats wrong here? What do I need to do to
> debug it further?
>
> Thanks in advance!
>
-- 
Matthias K?hne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold




 
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie
nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um
sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

On 24/02/2021 09:36, Matthias K?hne | Ellerhold AG via samba
wrote:
> Hello,
>
> I just asked the user to ssh into DC1. And lo and behold after that he
> has the correct groups.
>
> I let him connect to a fileserver via SMB and it updated the groups
> correctly too. Yay

Yes, you can only rely on a users groups being correct after the user 
has logged in.
>
>
> So it seems like the cache (on a Domain Member and on a DC) only gets
> updated if the user connects to it. net cache flush doesnt seem to do
> anything here.

'net cache flush' empties the winbind cache, so this wouldn't fix
the
problem you were having.
> Winbind Offline Logon is enabled. Is this the / a problem?

No, offline logon relies on the winbind cache being somewhere that 
survives a reboot (which on Debian it doesn't), so you need the users 
data in the cache to begin with and this means the user has logged in at 
least once.
>
> Is there any command I could run to update the groups without asking the
> user to login to the machine?
>
You could run 'wbinfo -a username', but this will mean that you must 
know the users password.

Why do you need to know what groups a user is a member of ?

If it is a case of of 'is fred a member of groupA' then you could see if
'fred' has a 'memberOf' attribute containing the DN for
'groupA'

Rowland