Paul Griffith
2026-Jan-12 14:46 UTC
[Samba] groups command not listing supplementary groups
Hello Samba Team,
We are experiencing a rather unusual issue with Samba.
On some of our systems, the 'groups' command is not retrieving the
correct supplementary group membership and is causing various permissions-based
issues.
For example:
% groups webapp
webapp : webappg domain users
Note that it shows webapp is only a part of webappg and "domain
users".
What it should be showing (and shows on other machines):
% groups webapp
webapp : webappg domain users faculty hc_server submit hc_prism hc_public
privkey
Reboot the server, or even restarting winbind will cause the correct group
membership to come back.
This problem first occurred after we upgraded from Samba 4.21.6 to 4.22.7 (on
the Linux AD clients and the AD server). As a test, we reverted the problematic
host to 4.21.10 to see if the issue would stop, and it did. Something has
changed with 4.22.7. It is odd in the sense that it appears to be intermittent.
On another system:
% groups radman
radman : grad domain users
And while I was exploring to find out why this was, the group membership came
back:
% groups radman
radman : grad domain users guac_res guac_edu hc_ispm guac_ea hc_dslab hc_mmlab
hc_prism hc_public hc_nslab hc_senior hc_research vboxusers tsmc130nm cmosp18
mixsigkit guac_intelect guac_icsl hc_icsl
Here are our config files, that have not changed.
On the host in question (Linux AD client):
------
egrep -i '^passwd|^group' /etc/nsswitch.conf
passwd: files winbind systemd
group: files winbind systemd
/etc/krb5.conf:
[libdefaults]
default_realm = AD.HOST.HOST.CA
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
forwardable = true
renew_lifetime = 7d
[realms]
AD.HOST.HOST.CA = {
kdc = xx.xx.xx.66
kdc = xx.xx.xx.67
master_kdc = xx.xx.xx.66
auth_to_local = RULE:[1:$1@$0](^.*\$@AD.HOST.HOST.CA)s/.*/root/
auth_to_local = DEFAULT
}
[domain_realm]
ad.host.host.ca = AD.HOST.HOST.CA
.ad.host.host.ca = AD.HOST.HOST.CAA
host.host.ca .host.host.ca = AD.HOST.HOST.CAA
/etc/samba/smb.conf
global]
workgroup = HOSTHOSTCA
security = ADS
realm = AD.HOST.HOST.CA
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use krb5 enterprise principals = no
winbind max clients = 600
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
# idmap config for the HOSTHOSTCA domain
# range should match UNIX ID in AD
idmap config HOSTHOSTCA : backend = ad
idmap config HOSTHOSTCA : schema_mode = rfc2307
idmap config HOSTHOSTCA : range = 1000-999999
idmap config HOSTHOSTCA : unix_primary_group = yes
idmap config HOSTHOSTCA : unix_nss_info = yes
# Renew the kerberos tickets
winbind refresh tickets = yes
# Enable offline logins
winbind offline logon = yes
# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307
# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes
# Keep no in production, set yes when debugging, this slows down your samba.
winbind enum users = no
winbind enum groups = no
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U
#log files
debug timestamp = yes
debug uid = yes
debug pid = yes
debug level = 1
max log size = 0
# printing (none)
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# security
username map = /xconf/samba/usermap
guest account = nobody
----
Background info:
All systems are running Samba compiled from source, running on Rocky Linux
release 8.10.
Samba 4.22.7 build info:
smbd -b
Paths:
SBINDIR: /xsys/pkg/samba-4.22.7/sbin
BINDIR: /xsys/pkg/samba-4.22.7/bin
CONFIGFILE: /etc/samba/smb.conf
LOGFILEBASE: /local/log
LMHOSTSFILE: /etc/samba/lmhosts
LIBDIR: /xsys/pkg/samba-4.22.7/lib
DATADIR: /xsys/pkg/samba-4.22.7/share
SAMBA_DATADIR: /xsys/pkg/samba-4.22.7/share/samba
MODULESDIR: /xsys/pkg/samba-4.22.7/lib
SHLIBEXT: so
LOCKDIR: /local/samba/lock
STATEDIR: /local/samba/locks
CACHEDIR: /local/samba/cache
PIDDIR: /run
SMB_PASSWD_FILE: /local/samba/private/smbpasswd
PRIVATE_DIR: /local/samba/private
BINDDNS_DIR: /xsys/pkg/samba-4.22.7/bind-dns
Build Options:
AD_DC_BUILD_IS_ENABLED
ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
BOOL_DEFINED
BROKEN_NISPLUS_INCLUDE_FILES
COMPILER_SUPPORTS_LL
CONFIG_H_IS_FROM_SAMBA
DEFAULT_DOS_CHARSET
DEFAULT_UNIX_CHARSET
ENABLE_GPGME
GETCWD_TAKES_NULL
INLINE_MACRO
KRB5_CONST_PAC_GET_BUFFER
KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT
KRB5_PRINC_REALM_RETURNS_REALM
LDAP_DEPRECATED
LDAP_SET_REBIND_PROC_ARGS
LIBREPLACE_NETWORK_CHECKS
LINUX
LINUX_SENDFILE_API
REALPATH_TAKES_NULL
RETSIGTYPE
SAMBA4_USES_HEIMDAL
SHLIBEXT
SIZEOF_BLKCNT_T_8
SIZEOF_BOOL
SIZEOF_CHAR
SIZEOF_DEV_T
SIZEOF_INO_T
SIZEOF_INT
SIZEOF_INT16_T
SIZEOF_INT32_T
SIZEOF_INT64_T
SIZEOF_INT8_T
SIZEOF_KEY_SERIAL_T
SIZEOF_LONG
SIZEOF_LONG_LONG
SIZEOF_OFF_T
SIZEOF_SHORT
SIZEOF_SIZE_T
SIZEOF_SSIZE_T
SIZEOF_TIME_T
SIZEOF_UINT16_T
SIZEOF_UINT32_T
SIZEOF_UINT64_T
SIZEOF_UINT8_T
SIZEOF_VOID_P
SRCDIR
STAT_STATVFS
STAT_ST_BLOCKSIZE
STDC_HEADERS
STRING_SHARED_MODULES
STRING_STATIC_MODULES
SUMMARY_PASSES
SYSCONF_SC_NGROUPS_MAX
SYSCONF_SC_NPROCESSORS_ONLN
SYSCONF_SC_PAGESIZE
SYSTEM_UNAME_MACHINE
SYSTEM_UNAME_RELEASE
SYSTEM_UNAME_SYSNAME
SYSTEM_UNAME_VERSION
TALLOC_BUILD_VERSION_MAJOR
TALLOC_BUILD_VERSION_MINOR
TALLOC_BUILD_VERSION_RELEASE
TEVENT_NUM_SIGNALS
TIME_T_MAX
TIME_T_SIGNED
TIME_WITH_SYS_TIME
USE_TDB_MUTEX_LOCKING
USING_EMBEDDED_HEIMDAL
USING_SYSTEM_POPT
VALUEOF_NSIG
VALUEOF_SIGRTMAX
VALUEOF_SIGRTMIN
VALUEOF__NSIG
VOID_RETSIGTYPE
WINEXE_LDFLAGS
WORKING_GETCONF_LFS_CFLAGS
XSLTPROC_MANPAGES
_GNU_SOURCE
_HAVE_SENDFILE
_POSIX_FALLOCATE_CAPABLE_LIBC
_SAMBA_BUILD_
_XOPEN_SOURCE_EXTENDED
__TIME_T_MAX
idmap_ad_init
idmap_autorid_init
idmap_hash_init
idmap_rfc2307_init
idmap_rid_init
idmap_script_init
idmap_tdb2_init
offset_t
static_decl_auth
static_decl_charset
static_decl_gpext
static_decl_idmap
static_decl_nss_info
static_decl_pdb
static_decl_vfs
static_init_auth
static_init_charset
static_init_gpext
static_init_idmap
static_init_nss_info
static_init_pdb
static_init_vfs
uint_t
vfs_acl_tdb_init
vfs_acl_xattr_init
vfs_aio_fork_init
vfs_aio_pthread_init
vfs_audit_init
vfs_btrfs_init
vfs_cap_init
vfs_catia_init
vfs_commit_init
vfs_crossrename_init
vfs_default_quota_init
vfs_dirsort_init
vfs_expand_msdfs_init
vfs_extd_audit_init
vfs_fake_perms_init
vfs_fileid_init
vfs_fruit_init
vfs_full_audit_init
vfs_glusterfs_fuse_init
vfs_gpfs_init
vfs_linux_xfs_sgid_init
vfs_media_harmony_init
vfs_offline_init
vfs_posix_eadb_init
vfs_preopen_init
vfs_readahead_init
vfs_readonly_init
vfs_recycle_init
vfs_shadow_copy2_init
vfs_shadow_copy_init
vfs_shell_snap_init
vfs_snapper_init
vfs_streams_depot_init
vfs_streams_xattr_init
vfs_syncops_init
vfs_time_audit_init
vfs_unityed_media_init
vfs_virusfilter_init
vfs_widelinks_init
vfs_worm_init
vfs_xattr_tdb_init
----------
Any suggestions to help further troubleshoot and resolve this would be
appreciated.
Thank you
Paul Griffith
Rowland Penny
2026-Jan-12 15:03 UTC
[Samba] groups command not listing supplementary groups
On Mon, 12 Jan 2026 14:46:06 +0000 Paul Griffith via samba <samba at lists.samba.org> wrote:> Hello Samba Team, > > We are experiencing a rather unusual issue with Samba. > > On some of our systems, the 'groups' command is not retrieving the > correct supplementary group membership and is causing various > permissions-based issues. > > For example: > > % groups webapp > webapp : webappg domain users > > Note that it shows webapp is only a part of webappg and "domain > users". > > What it should be showing (and shows on other machines): > > % groups webapp > webapp : webappg domain users faculty hc_server submit hc_prism > hc_public privkey > > Reboot the server, or even restarting winbind will cause the correct > group membership to come back. >Try adding 'winbind expand groups = 1' to the smb.conf on the client. Rowland