Helo Rowland.
Thanks a lot for your comments. It has been really useful for me.
As you asked me, this is the current smb.conf file content.
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
security = ADS
netbios name = SAMBA01
server string = Samba Server AD Member Version %v
load printers = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# client signing = mandatory
# server signing = mandatory
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
# client min protocol = SMB2
# server min protocol = SMB2
# idmap config * : backend = tdb
# idmap config * : range = 3000-7999
idmap config DOMAIN: backend = rid
idmap config DOMAIN: range = 10000-20000000
idmap uid = 10000-20000000
idmap uid = 10000-20000000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind offline logon = no
winbind refresh tickets = yes
# dns proxy = no
# log level = 10 auth:10 full_audit:10 winbind:10
[raid]
path = /mnt/RAID/Datos
comment = Directorio datos locales
read only = no
browseable = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributeas = yes
force group = nogroup
create mask = 0666
directory mask = 0777
[extra01]
path = /mnt/usb01/Datos
comment = Disco extra 01
read only = no
browseable = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributeas = yes
create mask = 0666
As you can see, I have some lines commented for tests that I done.
Also you told me that the user's rights aren't refreshed until
user's
re-autentication. But the users are defined on AD and logged from windows
boxes.
I tried to close session on remote machine but the rights changes were not
applied. For this reason I tried to use the id on server itself and then I
saw that groups where the user belongs to does not change when I change it
on AD.
Also I tried to restart smbd, nmbd and winbind every time I change AD
groups, but no success.
Thanks a lot for sharing your knowledge and share with us.
Missatge de Rowland Penny via samba <samba at lists.samba.org> del dia
dt., 22
de jul. 2025 a les 10:29:
> On Tue, 22 Jul 2025 10:13:44 +0200
> Josep M Gorro via samba <samba at lists.samba.org> wrote:
>
> > Dear all.
> >
> > I've a Windows AD running. An Ubuntu 24.04 with samba 4.19.5 has
been
> > merged to AD without problems.
> > But I'm experiencing an issue.
> >
> > When I try to get an ID from a user (id username at DOMAIN.LOCAL) it
> > gets the information from AD fine. But, after some time, when I
> > change something on AD (like user group membership) it does not
> > appears on id command result. But if I use ldapsearch for the same
> > user the result is fine.
> >
> > I'm suspecting regarding kerberos ticket obtained to proceed with
the
> > net ads join. When this ticket becomes expired all user information
> > is obtained from cache.
> >
> > Am I correct with this suspect?
>
> Sorry, but no, the kerberos ticket used to join a computer isn't used
> after the join. Once a computer is joined using 'net ads join' it
gets
> its own ticket and that is used.
>
> Your problem is that the users groups are read at logon and not updated
> until the user re-authenticates.
>
> >
> > How can I correct it?
> >
> > In smb.conf I've:
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind enum users = yes
> > winbind enum groups = yes
>
> You do not require the 'winbind enum' lines, Samba will work
perfectly
> well without them and if you have a large domain, can slow things down.
>
> > winbind use default domain = yes
> > winbind offline logon = no
> > winbind refresh tickets = yes
> >
> > Any help will be appreciated.
>
> I cannot comment on your authentication method, you haven't shown it,
> posting just part of the smb.conf is rarely helpful.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
http://www.linkedin.com/in/jmgorro