Web lists-archives.com

Re: [Samba] missing group affiliation on ad dc

On Mon, 8 Oct 2018 17:08:05 +0200
basti mueller via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> I've a strange problem. I migrated my NT4 PDC to a ad on my debian
> stretch (samba version is 4.5.12). 
> The Domain Controller has some shares for my users. 
> One user just told me he can't access the share...before the
> migration he was able to access the share btw! So I checked the ACL's
> of this share. 
> Its:
> root@server:~# getfacl /media/exampleshare
> # file: media/exampleshare
> # owner: EXAMPLE\134fileadmin
> # group: EXAMPLE\134mitarbeiter
> user::rwx
> group::---
> group:BUILTIN\134administrators:rwx
> group:EXAMPLE\134sharegroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:EXAMPLE\134sharegroup:rwx
> default:mask::rwx
> default:other::---
> After this I did a "groups exampleuser" on my domain controller:
> root@server:~# groups exampleuser
> exampleuser : EXAMPLE\domain users EXAMPLE\remotedesktop
> EXAMPLE\mitarbeiter 
> but there is no "EXAMPLE\sharegroup"....so everything make sense..

You cannot rely on the output of 'groups' etc unless the user has
logged in.

> anyway.. if I do a "samba-tool group listmembers sharegroup" on my
> domain controller I see the user in this list! >.< If I just run RSAT
> Active Directory User and Computers I see it too! The user is member
> of the sharegroup.

Then the user is a member of 'sharegroup', the samba-tool command
searches AD for 'memberOf' attributes containing the DN of the group
and then prints the samAccountName from the 'memberOf' attributes.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba