[Samba] 3.6 member to 2008 AD, winbind integration, users sometimes lose group membership

Denis Cardon denis.cardon at tranquil-it-systems.fr
Thu Feb 20 04:30:50 MST 2014


Hi Jason,

> We've had linux fileservers in our org for a long time and this roughly
> coincided with version 3.6.
>
> Our linux member servers are winbound, filesystems are ext2+ with acl
> support and permissions assigned to AD groups via setfacl.
>
> At any given time, out of all the users that use the fileshares daily
> there are about 1-2 that get "access denied" by the client os (win xp, 7
> and 8).
>
> I can log into the linux host, su into the denied account, and verify
> that it is denied locally too, so the issue is not with smb share, but
> with winbind/ad/filesystem acl.
>
> id and getent will show that the group membership of the denied user is
> "missing" some groups, namely the ones that are needed to access the
> directory in question.  After checking with other accounts it seems like
> samba loses group enumeration more commonly.  Only by luck are the bulk
> of users successfully able to access the files they need to.
>
> Upon further examination, it seems as though it is random; 100 servers
> with the same exact config file (save for server name) will all do
> groups correctly except for one.  After a month, it will change and
> another server will misbehave while the first will "fix" itself.

we had a similar issue on a fresh wheezy install a few month ago (samba 
3.6.6 with winbind as member server of an MS 2k8r2 AD). We encountered 
the exact same symptoms as you do, random nsswitch issues with group 
membership. What stuned me is that we have same setup at other clients 
and never had issues...

since I was clueless on the root cause of the problem, I started an 
upgrade to see if it would solve the issue. Since 3.6 will go to 
maintenance in the near future, we did an upgrade directly to samba 
4.1.4 as member server compiled from source.

Everything is doing fine since then. Unfortunatly I didn't had time to 
look deeper into the root cause of the problem. We have many other 
similar setups that run fine, why this one and only this one looses 
group membership I still don't know.

Hope this helps,

Denis

>
> Is this the correct forum to ask for help ?  If not, where can I go ?
>
> Thanks all,
> Jason Harris
>
>


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr



More information about the samba mailing list