[Samba] User accounts not getting complete group membership (getent group / groups mismatch)
Bruce Cran
bruce.cran at gmail.com
Fri May 16 12:35:39 MDT 2014
We recently added a new LDAP/AD group to our domain, but have found that
only some accounts on a Linux (Ubuntu 12.04.4, Samba 3.6.3) machine are
getting the membership: "getent group <groupname>" shows them as being in
the group, but "groups <username>" doesn't. I've tried restarting winbindd
with the "-n" option to bypass caching, and deleting the winbindd_idmap.tdb
and winbindd_cache.tdb files, but nothing seems to be working. The logs
don't have any errors in them; I tried increasing the log level to 3, but I
don't know how to interpret it: all I noticed is that it seems to pause at
a certain user, but there aren't any different messages so I don't know if
it's just waiting for the polling interval to expire?
The smb.conf file contains:
[global]
security = ads
realm = A.COMPANY.COM
password server = ad.a.company.com
# note that workgroup is the 'short' domain name
workgroup = COMPANY
# winbind separator = +
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
winbind use default domain = yes
restrict anonymous = 2
winbind refresh tickets = yes
--
Bruce
More information about the samba
mailing list