Web lists-archives.com

[Samba] winbind inconsistent group membership




I have 4 Samba 4.7.0 DCs. I have 3 clients using samba-winbind.x86_64 0:4.6.2-11.el7_4 with an identical configuration, which produce inconsistent user group membership for multiple users. I've tried using all 4 DCs explicitly (e.g., realm = dc01.mediture.dom), net cache flush and restarting winbind. I've also tested cloning a user and setting up the user as identical as possible: the cloned user showed the correct membership but not the original. The ldapcmp tools finds no relevant differences between DCs.

I've had this issue through multiple versions of Samba on each side, which I believe includes winbind from samba 3.

Client config:

[global]
    #--authconfig--start-line--
    workgroup = MEDITURE
    password server = dc01.mediture.dom vsc-dc02.mediture.dom aws-dc01.mediture.dom epo-dc01.mediture.dom
    realm = MEDITURE.DOM
    security = ads

    template homedir = /home/%U
    template shell = /bin/bash

    winbind use default domain = true

    #--authconfig--end-line--
    server string = Samba Server Version %v

    # logs split per machine
    log file = /var/log/samba/log.%m
    # max 50KB per log file, then rotate
    max log size = 50

    passdb backend = tdbsam

    winbind cache time = 900
    winbind refresh tickets = yes
    winbind offline logon = yes
    winbind use default domain = yes
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes

    kerberos method = secrets and keytab

    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000

    idmap config MEDITURE: backend = ad
    idmap config MEDITURE: range = 10000-49999
    idmap config MEDITURE: schema mode = rfc2307

DC config:

[global]
    log level = 1 auth_audit:3
    workgroup = MEDITURE
    realm = MEDITURE.DOM
    netbios name = DC01

    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
tls enabled = yes
    tls keyfile  = tls/key.pem
    tls certfile = tls/cert.pem
    tls cafile   = tls/ca.pem

    template homedir = /home/%U
    template shell = /bin/bash

    server string = Samba Server Version %v

    server max protocol = SMB3
    # allow trusted domains = no
    ldap server require strong auth = no
winbind refresh tickets = yes
    winbind offline logon = yes
    winbind use default domain = yes
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes

    kerberos method = secrets and keytab

    idmap_ldb:use rfc2307 = yes

#   idmap config *: backend = tdb
#   idmap config *: range = 90000001-100000000
# idmap config MEDITURE: backend = ad
#   idmap config MEDITURE: range = 10000-49999
#   idmap config MEDITURE: schema mode = rfc2307

    kccsrv:samba_kcc = false

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/mediture.dom/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

[deploy]
    path = /usr/local/samba/var/deploy
    read only = No

Example:

[root@appdb03 ~]# wbinfo -r mikes
10513
11143
10516
11162
90000002

[root@qa503 ~]# wbinfo -r mikes
10513
90000002

[root@great02 ~]# wbinfo -r mikes
10513
90000002

Thanks,
Arthur

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer@xxxxxxxxxxxx.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba