Web lists-archives.com

Re: [Samba] AD Group update lag / cache, firewall related?




On Fri, 25 Aug 2017 17:03:11 +0000
"A. James Lewis" <james@xxxxxxxxxx> wrote:

> # wbinfo -n working-group | awk '{print $1}' | awk -F '-' '{print $8}'
> 69153
> 
> # wbinfo -n problem-group | awk '{print $1}' | awk -F '-' '{print $8}'
> 136399
> 
> The OS can use that group:-
> 
> # chgrp problem-group test.txt 
> # ls -asl test.txt 
> 0 -rw-r--r-- 1 root problem-group 0 Aug 25 17:55 test.txt
> #
> 
> It's not a case that the group is unavailable... it is that the users
> group membership is incomplete:-
> 
> server02:/tmp # for i in `wbinfo -r joeuser`; do getent group $i;
> done | wc -l 119
> 
> server01:/tmp # for i in `wbinfo -r joeuser`; do getent group $i;
> done | wc -l 155
> 
> I must admit that I expected that upgrading from Samba 3.6 to 4.6
> would resolve this, but it did not!... and since a similarly
> configured server which is on the same LAN as the AD controller does
> not have this issue... while these servers are firewalled from the AD
> controller... I'm lead to believe that some of the needed chatter
> between the AD controller and the server is blocked... but I'm
> slightly at a loss to find out what.
> 

For port usage, see here:

https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage

It is just the same as a windows DC.

The lack of group membership might not be a real problem, it may just
be a lack of displaying group membership.

try creating a file in the a share, chown to
'someotheruser:'problemgroup' with permissions set to 0770, now see if
your user can open, change and save the file.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba