samba - Aug 2022 - Cannot set Windows ACL on Sharefolder with other user than Administrator

I check out this article, where you helped a member of askubuntu for the 
same problem:

https://askubuntu.com/questions/1309659/samba-domain-member-not-pulling-ad-group-user-info


I follow your introduction and set the winbind before systemd inside 
nsswitch.conf, like:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? files winbind systemd
group:????????? files winbind systemd
shadow:???????? files
gshadow:??????? files

hosts:????????? files dns winss
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis


Am 03.08.2022 um 14:33 schrieb Oliver via samba:
> Hello Rowland,
>
> thanks for your reply on my message. I just could check your answers 
> today.
>
> Am 29.07.2022 um 19:05 schrieb Rowland Penny:
>> You can get 4.16.1 from Debian 11 backports
>
> Thanks for the information. I will try this out in a few days.
>
> The reason why I choose a self-compiled installation is, that I will 
> not get trouble when I run apt-get upgrade or other package 
> installation tasks on the machines and get all the same versions on 
> the machines.
>
>>> - getent group / user
>>> DOMAIN\domain users:x:10000:
>>> DOMAIN\sec-admin-home-unix-domain-administrators:x:10001:
>>> DOMAIN\sec-file-home-administrator:x:11000:
>>> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
>> No it isn't, so that is probably why it doesn't work.
>>
>> The user must be a member of the group that owns the directory and that
>> group must hold the SeDiskOperatorPrivilege
>>
>> Rowland
>
> Yes thanks that's true.? I did not know that the getend group command 
> also list member of domain groups..
>
> I think that's the main problem here. But I realy don't know why.
>
> When I look up in the ADUC on my Windows Host, the user james.bond is 
> member of the domain global group. And the domain global group is 
> member of the domain local group, like that:
>
> - james.bond -> Member of: sec-admin-home-fileshare-administrato
>
> - sec-admin-home-fileshare-administrator -> Member of:
>
> - sec-file-home-administrator? -> Assigned as ownergroup of Fileshare 
> Directory
>
> ( I also put the user directly inside the sec-file-home-administrator 
> an tested the szenario)
>
>
> *All of them has an GID and can be find by getend, the output is:*
>
> # getent user "DOMAIN\james.bond"
>
> DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash
>
>
> #? getent group "DOMAIN\\james.bond-group"
>
> DOMAIN\james.bond-group:x:39999:
>
>
> # getent group "DOMAIN\sec-admin-home-fileshare-administrator"
>
> DOMAIN\sec-file-home-administrator:x:11000:
>
>
> # getent group "DOMAIN\sec-admin-home-fileshare-administrator"
>
> DOMAIN\sec-admin-home-fileshare-administrator:x:18888:
>
>
> But the group members are not showing.. There for, the user can't 
> setup the ACL permissions for the file. He is not authorized. Also the 
> Domain Users group and every other group I fill with users is not 
> showing them up. Even not, when added enum winbind in global section 
> of smb.conf:
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> winbind use default domain = yes
>
>
> Did I miss anything or is something destroyed?
>
> Can you give me some tips, how I can troubleshoot the issue in details.
>
>
> My nsswitch.conf is:
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed,
> try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd:???????? files winbind systemd
> group:????????? files winbind systemd
> shadow:???????? files
> gshadow:??????? files
>
> hosts:????????? files dns winss
> networks:?????? files
>
> protocols:????? db files
> services:?????? db files
> ethers:???????? db files
> rpc:??????????? db files
>
> netgroup:?????? nis
>
>
> Thanks,
>
> Oliver

Dear all,

some research later, I did some queries on my PDC and secondary DC.
I figure out, that the LDAP queries works and the group membership for 
LDAP is working.

I found an error, when run samba-tool on the secondary DC. There is a 
missing secrets.ldb and sam.ldb? .
You will find it at the end of this message.

Can you help me to fix this?
What did I wrong?

Regards,

Oliver

General questionsmarks, may somebody could answer:
- getent not works on Primary DC
- wbinfo on Primary DC run with or without given Domain e.g. 
"DOMAIN\\USER" & "USER"
- wbinfo on secondarys DC only runs with given Domain e.g.
"DOMAIN\\USER"
- ldbsearch works only to remote host Primary DC.
- samba-tool on primary DC runs only without given Domain e.G. "USER"

Thank's in advanced!

Oliver


Troubleshoot on Primary DC DC01:
1)# getent
# getent group "Domain Users"
# getent group "DOMAIN\\Domain Users"
# getent passwd "james.bond"
# getent passwd "DOMAIN\\james.bond"
- no output for getent

2)# wbinfo
# wbinfo --group-info "Domain Users"
DOMAIN\domain users:x:10000:
# wbinfo --group-info "DOMAIN\\Domain Users"
DOMAIN\domain users:x:10000:

3) ldbsearch
# ldbsearch -H ldap://DC01 -b 
"CN=Administrator,CN=Users,DC=DOMAIN,DC=local" memberOf primaryGroupID
-U Administrator
Password for [DOMAIN\Administrator]:
# record 1
dn: CN=Administrator,CN=Users,DC=DOMAIN,DC=local
primaryGroupID: 513
memberOf: CN=Domain Admins,CN=Users,DC=DOMAIN,DC=local
memberOf: CN=Schema Admins,CN=Users,DC=DOMAIN,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=DOMAIN,DC=local
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=DOMAIN,DC=local
memberOf: CN=Administrators,CN=Builtin,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

# ldbsearch -H ldap://DC01 -b 
"CN=james.bond,OU=Users,DC=DOMAIN,DC=local" memberOf primaryGroupID -U
Administrator
Password for [DOMAIN\Administrator]:
# record 1
dn: CN=james.bond,OU=Users,DC=DOMAIN,DC=local
primaryGroupID: 513
memberOf: 
CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

# ldbsearch -H ldap://DC01 -b 
"CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local"
member memberOf primaryGroupID -U Administrator
# record 1
dn: CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
memberOf: 
CN=sec-file-home-administrator,OU=Gruppen,OU=DOMAIN-OnPrem,DC=DOMAIN,DC=local
member: 
CN=james.bond,OU=Weitere-Mitglieder,OU=Familie,OU=Mitglieder,OU=Zuhaus
 ?e, DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals


# ldbsearch -H ldap://DC01 -b 
"CN=sec-file-home-administrator,OU=Gruppen,DC=DOMAIN,DC=local" member 
memberOf primaryGroupID -U Administrator
# record 1
dn: CN=sec-file-home-administrator,OU=Gruppen,DC=DOMAIN,DC=local
member: 
CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

4) Cache Datas
ls -ll /usr/local/samba/var/cache/
insgesamt 16
-rw------- 1 root root 12288? 4. Aug 15:46 netsamlogon_cache.tdb
drwxr-xr-x 2 root root? 4096 25. Feb 16:27 printing

5)? tdb - Backends
ls -ll /usr/local/samba/private/
insgesamt 1012
drwx------ 2 root root?? 4096? 4. Aug 17:07 msg.sock
-rw------- 1 root root? 32768? 3. Aug 14:27 netlogon_creds_cli.tdb
-rw------- 1 root root 421888? 4. Jul 17:11 passdb.tdb
-rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb

6) samba-tool
# samba-tool group listmembers "Domain Users"
svc-linuxreader-ldap
krbtgt
dns-DC01
svc-linuxreader-krb
svc-nextcloud-ldap
james.bond
Administrator
# samba-tool group listmembers "DOMAIN\\Domain Users"
ERROR: Failed to list members of "DOMAIN\Domain Users" group - Unable
to
find group "DOMAIN\Domain Users"
# samba-tool group listmembers "sec-file-home-administrator"
sec-admin-home-fileshare-administrator
# samba-tool group listmembers
"sec-admin-home-fileshare-administrator"
sec-admin-home-fileshare-administrator


Troubleshoot on secondary DC DC02:
1)# getent
# getent group "Domain Users"
# getent group "DOMAIN\\Domain Users"
DOMAIN\domain users:x:10000:
# getent passwd "james.bond"
# getent passwd "DOMAIN\\james.bond"
DOMAIN\james.bond:*:49999:39999::/home/james.bond:/bin/bash


2)# wbinfo
# wbinfo --group-info "Domain Users"
DOMAIN\domain users:x:10000:
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group Domain Users
# wbinfo --group-info "DOMAIN\\Domain Users"
DOMAIN\domain users:x:10000:

3) ldbsearch
# ldbsearch -H ldap://DC01 -b 
"CN=james.bond,OU=Users,DC=DOMAIN,DC=local" memberOf primaryGroupID -U
Administrator
Password for [DOMAIN\Administrator]:
# record 1
dn: CN=james.bond,OU=Users,DC=DOMAIN,DC=local
primaryGroupID: 513
memberOf: 
CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

# ldbsearch -H ldap://DC01 -b 
"CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local"
member memberOf primaryGroupID -U Administrator
# record 1
dn: CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
memberOf: CN=sec-file-home-administrator,OU=Gruppen,,DC=DOMAIN,DC=local
member: CN=james.bond,OU=Users,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals


# ldbsearch -H ldap://DC01 -b 
"CN=sec-file-home-administrator,OU=Gruppen,DC=DOMAIN,DC=local" member 
memberOf primaryGroupID -U Administrator
# record 1
dn: CN=sec-file-home-administrator,OU=Gruppen,DC=DOMAIN,DC=local
member: 
CN=sec-admin-home-fileshare-administrator,OU=Gruppen,DC=DOMAIN,DC=local
# returned 1 records
# 1 entries
# 0 referrals

4) Cache Datas
ls -ll /usr/local/samba/var/cache/
insgesamt 20
-rw-r--r-- 1 root root?? 235? 4. Aug 17:18 browse.dat
-rw------- 1 root root 12288 31. Jul 11:21 netsamlogon_cache.tdb
drwxr-xr-x 2 root root? 4096? 4. Jul 17:11 printing


5) tdb - Backends
ls -ll /usr/local/samba/private/
insgesamt 1012
drwx------ 2 root root?? 4096? 4. Aug 17:20 msg.sock
-rw------- 1 root root? 32768? 3. Aug 14:27 netlogon_creds_cli.tdb
-rw------- 1 root root 421888? 4. Jul 17:11 passdb.tdb
-rw------- 1 root root 577536 30. Jul 10:02 secrets.tdb

6) samba-tool
# samba-tool group listmembers "Domain Users"
ldb: ltdb: tdb(/usr/local/samba/private/secrets.ldb): tdb_open_ex: could 
not open file /usr/local/samba/private/secrets.ldb: No such file or 
directory

ldb: Unable to open tdb '/usr/local/samba/private/secrets.ldb': No such 
file or directory
ldb: Failed to connect to '/usr/local/samba/private/secrets.ldb' with 
backend 'tdb': Unable to open tdb 
'/usr/local/samba/private/secrets.ldb': No such file or directory
ltdb: tdb(/usr/local/samba/private/sam.ldb): tdb_open_ex: could not open 
file /usr/local/samba/private/sam.ldb: No such file or directory

Unable to open tdb '/usr/local/samba/private/sam.ldb': No such file or 
directory
Failed to connect to 'tdb:///usr/local/samba/private/sam.ldb' with 
backend 'tdb': Unable to open tdb
'/usr/local/samba/private/sam.ldb': No
such file or directory
ERROR: Failed to list members of "Domain Users" group - (1,
"Unable to
open tdb '/usr/local/samba/private/sam.ldb': No such file or
directory")
 ? File 
"/usr/local/samba/lib/python3.9/site-packages/samba/netcmd/group.py", 
line 527, in run
 ??? samdb = SamDB(url=H, session_info=system_session(),
 ? File "/usr/local/samba/lib/python3.9/site-packages/samba/samdb.py",
line 70, in __init__
 ??? super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
 ? File 
"/usr/local/samba/lib/python3.9/site-packages/samba/__init__.py", line
114, in __init__
 ??? self.connect(url, flags, options)
 ? File "/usr/local/samba/lib/python3.9/site-packages/samba/samdb.py",
line 86, in connect
 ??? super(SamDB, self).connect(url=url, flags=flags,