Web lists-archives.com

Re: [Samba] Odd behavior on group membership




Hi Rowland,

Those tests were made on DC (araucaria), not a domain member.

root@araucaria:~# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
        ldap server require strong auth = No
        log file = /var/log/samba/%m.log
        ntlm auth = ntlmv1-permitted
        passdb backend = samba_dsdb
        realm = AD.TLD
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        template homedir = /home/usuarios/%U
        template shell = /bin/bash
        wins support = Yes
        workgroup = A1
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4 acl_xattr


[netlogon]
        path = /var/lib/samba/sysvol/ad.tld/scripts
        read only = No


[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
root@araucaria:~#

Em 27/11/2018 17:14, Rowland Penny via samba escreveu:
On Tue, 27 Nov 2018 16:39:41 -0200
Marcio Vogel Merlone dos Santos via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

I have a samba 4.7 AD DC running on a Ubuntu 18.04 server with distro
packages. I update a user with a new group and this new membership is
not reflected on that user. On example below, I can successfully add
the user "test.account" to group "test", but not my user
"marcio.merlone":

root@araucaria:~# id test.account
uid=30214(A1\test.account) gid=100(users)
groups=100(users),3000008(BUILTIN\users)
root@araucaria:~# samba-tool group addmembers test test.account
Added members to group test
root@araucaria:~# id test.account
uid=30214(A1\test.account) gid=100(users)
groups=100(users),3000203(A1\test),3000008(BUILTIN\users)

User test.account was added successfully to group test. Although:

root@araucaria:~# samba-tool group addmembers test marcio.merlone
Added members to group test
root@araucaria:~# id marcio.merlone
uid=1014(A1\marcio.merlone) gid=100(users)
groups=100(users),512(A1\domain
admins),3000008(BUILTIN\users),10012(BUILTIN\administrators)
root@araucaria:~#

Group "test" does not show up. Also tried changing groups using ADUC
and LDAP Account Manager, no diff.

Those tests where made on DC for debugging purposes, but I need this
membership change reflected on a member server running squid proxy.
Tracked down to DC not working as expected also. Same happens when
removing a group membership.

Already tried net cache flush, winbind + smbd + nmbd restart,
removing tdb files from /var/lib, no luck.

Any thoughts?

Is this on a Unix domain member ?

gid=100(users) shows that this is probably on a DC and 'Domain Users'
doesn't have a gidNumber (unless it is set to '100')

10012(BUILTIN\administrators) shows that 'administrators' does have a
gidNumber

'winbind + smbd + nmbd restart' would suggest it is a Unix domain member

Oh, God, you are right, my bad. Should have restarted ad-dc.


--
*Marcio Merlone*
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba