[Samba] ADUC - "UNIX Attributes" tab - "Unwilling To Perform"
Rowland Penny
rowlandpenny241155 at gmail.com
Sat Oct 24 08:53:05 UTC 2015
On 23/10/15 23:51, Jonathan Hunter wrote:
> Hi,
>
> I am sure I have come across this before but have previously either
> ignored it or somehow worked around it. However it has come up again
> and this time I will try to find out what's going on, hopefully we can
> fix whatever the issue is.
>
> I have a Samba 4.2.2 domain that generally works fine; I have rfc2307
> enabled so that I can keep UIDs/GIDs consistent across machines whilst
> still being able to log into my DC using a domain account.
>
> Just now I created two groups using ADUC from a Windows 7 client. For
> both of these groups I went to the "UNIX Attributes" tab, selected my
> single NIS Domain from the drop-down list, and accepted the
> auto-incremented GID value suggested.
>
> However, the first group works fine and the second one does not. When
> I re-open the Properties screen of the second group in ADUC and click
> on the "UNIX Attributes" tab, I get a pop-up dialog box entitled "UNIX
> Attributes", with the simple message "Unwilling To Perform". This
> second group does not appear in a "$ getent group newgroupname2" query
> on my DC, whereas the first group has no errors in ADUC, and does
> appear in a "$ getent group newgroupname1" command.
>
> I have tried the following with no success
> - Restarting the Windows 7 client VM
> - Restarting samba4 on this DC (not on all DCs)
> - Deleting newgroup2 and re-creating it as above
>
> Still exactly the same behaviour.
>
> There is nothing I can see in any of my samba logs; but then again I
> don't have anything special turned on in terms of debugging at the
> moment.
>
> What can I check next?
>
> I think this could be the same issue as
> https://lists.samba.org/archive/samba/2013-November/176815.html
> but it seems there wasn't really a resolution to that one...
>
> Thanks :)
>
> Jonathan
>
Is there something strange in the groupname?
Have you tried examining the groups object in AD and comparing it with
the one that does work, this run on the DC will get the object for you:
ldbsearch -H /usr/local/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com'
'(&(objectclass=group)(samaccountname=groupname))'
Rowland
More information about the samba
mailing list