[Samba] winbind inconsistent group membership
- Date: Tue, 10 Oct 2017 12:54:11 -0500
- From: Arthur Ramsey via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] winbind inconsistent group membership
I have 4 Samba 4.7.0 DCs. I have 3 clients using samba-winbind.x86_64 0:4.6.2-11.el7_4 with an identical configuration, which produce inconsistent user group membership for multiple users. I've tried using all 4 DCs explicitly (e.g., realm = dc01.mediture.dom), net cache flush and restarting winbind. I've also tested cloning a user and setting up the user as identical as possible: the cloned user showed the correct membership but not the original. The ldapcmp tools finds no relevant differences between DCs.
I've had this issue through multiple versions of Samba on each side, which I believe includes winbind from samba 3.
Client config: [global] #--authconfig--start-line-- workgroup = MEDITURE password server = dc01.mediture.dom vsc-dc02.mediture.dom aws-dc01.mediture.dom epo-dc01.mediture.dom realm = MEDITURE.DOM security = ads template homedir = /home/%U template shell = /bin/bash winbind use default domain = true #--authconfig--end-line-- server string = Samba Server Version %v # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 passdb backend = tdbsam winbind cache time = 900 winbind refresh tickets = yes winbind offline logon = yes winbind use default domain = yes winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes kerberos method = secrets and keytab idmap config *: backend = tdb idmap config *: range = 90000001-100000000 idmap config MEDITURE: backend = ad idmap config MEDITURE: range = 10000-49999 idmap config MEDITURE: schema mode = rfc2307 DC config: [global] log level = 1 auth_audit:3 workgroup = MEDITURE realm = MEDITURE.DOM netbios name = DC01 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdatetls enabled = yes
tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem template homedir = /home/%U template shell = /bin/bash server string = Samba Server Version %v server max protocol = SMB3 # allow trusted domains = no ldap server require strong auth = nowinbind refresh tickets = yes
winbind offline logon = yes winbind use default domain = yes winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes kerberos method = secrets and keytab idmap_ldb:use rfc2307 = yes # idmap config *: backend = tdb # idmap config *: range = 90000001-100000000# idmap config MEDITURE: backend = ad
# idmap config MEDITURE: range = 10000-49999 # idmap config MEDITURE: schema mode = rfc2307 kccsrv:samba_kcc = false [netlogon] path = /usr/local/samba/var/locks/sysvol/mediture.dom/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [deploy] path = /usr/local/samba/var/deploy read only = No Example: [root@appdb03 ~]# wbinfo -r mikes 10513 11143 10516 11162 90000002 [root@qa503 ~]# wbinfo -r mikes 10513 90000002 [root@great02 ~]# wbinfo -r mikes 10513 90000002 Thanks, Arthur This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer@xxxxxxxxxxxx. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba