[Samba] Group membership not updating on one DC only
Matthias Kühne | Ellerhold AG
matthias.kuehne at ellerhold.de
Wed Feb 24 09:36:48 UTC 2021
Hello,
I just asked the user to ssh into DC1. And lo and behold after that he
has the correct groups.
I let him connect to a fileserver via SMB and it updated the groups
correctly too. Yay
So it seems like the cache (on a Domain Member and on a DC) only gets
updated if the user connects to it. net cache flush doesnt seem to do
anything here. Winbind Offline Logon is enabled. Is this the / a problem?
Is there any command I could run to update the groups without asking the
user to login to the machine?
Am 24.02.21 um 10:13 schrieb Matthias Kühne | Ellerhold AG via samba:
> Hello,
>
> it seems like the group memberships isnt updating anymore for a certain
> user in a specific DC. Were using Debian Buster with samba
> 4.13.4+dfsg-0.1buster2 .
>
> We have (atm) 3 DCs in their own AD-Sites: the first DC is in the
> default site ("Default-First-Site-Name"), the second DC and third are in
> their own sites. Each of them should be responsible for their IP ranges.
>
> Ive just changed the group membership of an user via MS ADUC (connected
> to DC-2). It didnt replicate to DC-1...: 'net cache flush && groups
> DOMAIN\\user.name' shows all groups on DC2 and DC3, but on DC1 2 groups
> are missing.
>
> Steps I tried without any changes:
>
> * Waiting until the next morning (~ 12 hours)
> * Restarting all DCs one at a time
> * net cache flush (with or without restarting samba-ad-dc)
> * Moved all DCs to the default AD-Site
> * samba-tool dbcheck --cross-ncs --fix --yes on all 3 DCs
> * samba-tool drs replicate --full-sync --sync-forced DC1 DC2 DC=...
> * Transferring all FSMO from DC1 to DC2, demoting DC1, apt remove
> --purge samba on DC1 and a complete reinstall with rejoinen
>
> Even after all of this: the groups of user.name are still the old
> values! DC2 and DC3 show the new membership info.
>
> Some more things I've tried:
>
> * wbinfo -g shows all Groups correctly
> * getent group shows all groups correctly (if winbind enum groups is
> set to Yes)
> * samba-tool drs uptodateness shows all zeros (and 5 different
> "Unknown invocation ID XYZ" error messages spammed about)
> * samba-tool visualize uptodateness -r show all green zeros (same
> error message as above)
> * samba-tool drs kcc is successfull on all 3 DCs
> * samba-tool drs showrepl
> o Shows 0 consecutive failures
> o But all outbound connections on DC1 also show "Last attempt @
> NTTIME(0) was successful" ... this means that no sync has been
> done - right?
> o Inbound connections on DC properly show an up2date time+date
> * samba-tool ldapcmp ldap://DC2 ldap://DC1
> o Result for [DOMAIN]: SUCCESS (all other partitions are a success
> too)
> o But in [DOMAIN] 7 users are shown as:
> + LdbError for dn CN=MEIN TESSTNAME,...: (32, 'LDAP error 32
> LDAP_NO_SUCH_OBJECT - <acl_read: Error retrieving
> instanceType for base. at
> ../../source4/dsdb/samdb/ldb_modules/acl_read.c:939> <>')
> + The user is named "Mein Teßtname" in ADUC...
> + Is this a problem?
> + The user with the missing groups has no ß in his name though...
>
> Does anybody have an idea whats wrong here? What do I need to do to
> debug it further?
>
> Thanks in advance!
>
--
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99
Web www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
More information about the samba
mailing list