Web lists-archives.com

Re: [Samba] missing group affiliation on ad dc




On Mon, 8 Oct 2018 17:08:05 +0200
basti mueller via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> I've a strange problem. I migrated my NT4 PDC to a ad on my debian
> stretch (samba version is 4.5.12). 
> 
> The Domain Controller has some shares for my users. 
> 
> One user just told me he can't access the share...before the
> migration he was able to access the share btw! So I checked the ACL's
> of this share. 
> 
> Its:
> root@server:~# getfacl /media/exampleshare
> # file: media/exampleshare
> # owner: EXAMPLE\134fileadmin
> # group: EXAMPLE\134mitarbeiter
> user::rwx
> group::---
> group:BUILTIN\134administrators:rwx
> group:EXAMPLE\134sharegroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:EXAMPLE\134sharegroup:rwx
> default:mask::rwx
> default:other::---
> 
> 
> After this I did a "groups exampleuser" on my domain controller:
> root@server:~# groups exampleuser
> exampleuser : EXAMPLE\domain users EXAMPLE\remotedesktop
> EXAMPLE\mitarbeiter 
> 
> but there is no "EXAMPLE\sharegroup"....so everything make sense..

You cannot rely on the output of 'groups' etc unless the user has
logged in.

> 
> anyway.. if I do a "samba-tool group listmembers sharegroup" on my
> domain controller I see the user in this list! >.< If I just run RSAT
> Active Directory User and Computers I see it too! The user is member
> of the sharegroup.

Then the user is a member of 'sharegroup', the samba-tool command
searches AD for 'memberOf' attributes containing the DN of the group
and then prints the samAccountName from the 'memberOf' attributes.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba