Web lists-archives.com

Re: [Samba] group membership inconsistency on AD domain member




"net cache samlogon delete" helped me solve the problem, i didn't know about this command before

matthias

Am 01.02.19 um 18:00 schrieb Matthias Leopold:
Hi,

I've been running a samba server with winbind (CentOS 7) as a member of an AD Domain (Windows 2012 R2) for several months without a problem. "Suddenly" I'm seeing the problem that the membership in newly created AD groups isn't correctly visible for some users on the samba server or only after some indefinite amount of time. I'm looking simply at the output of the 'id' command. This information is always consistent with the output of 'wbinfo -r', so I don't think it's a NSS problem. The "funny" thing is that this doesn't apply to all of the members of the newly created group, only for some of them.

On the DC i checked the affected users with the powershell command "get-aduser $username -Properties memberof | select -expand memberof", everything is correct.

To my experience the problem goes away after some time (a couple of hours) for some users, again not all of them. I fiddled with some winbind options in smb.conf, restarted winbind a couple of times, used "net cache flush", none of these changed anything. I didn't restart the AD or smbd though. Can anybody give me a hint?

thx
matthias

Example (i temporarily set "winbind expand groups = 1" to use "getent group", but this doesn't affect the problem):

# getent group 'FOOBAR\testgroup'
FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user01

# wbinfo -r 'FOOBAR\user01' | grep -c 13688
1

# wbinfo -r 'FOOBAR\user01' | grep -c 13688
0


smb.conf:

[global]
         load printers = No
         log file = /var/log/samba/log.smbd
         realm = FOOBAR.DOMAIN.TLD
         security = ADS
         unix extensions = No
         workgroup = FOOBAR
         idmap config foobar : range = 10000-999999
         idmap config foobar : backend = rid
         idmap config * : range = 3000-7999
         idmap config * : backend = tdb
         map acl inherit = Yes
         store dos attributes = Yes
         strict sync = No


[exampleshare]
         browseable = No
         path = /srv/samba01/lv01/exampleshare
         read only = No
         vfs objects = acl_xattr





--
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 /Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba