[Samba] ADUC - "UNIX Attributes" tab - "Unwilling To Perform"

Sat Oct 24 17:57:11 UTC 2015

On 24/10/15 18:18, Jonathan Hunter wrote:
> Thanks Rowland - appreciated.
>
> I have checked the ldbsearch result and both groups look to be pretty
> much exactly the same to me, one of them is shown below (I have
> sanitised some of the output, replacing parts with 123/a/b/c, but the
> rest of the output is byte for byte as seen)
>
> In the time between posting my original message and checking again
> just now, however, I have the following additional observations:
>
> - 'getent group newgroupname2' *does* now work, whereas it definitely
> did not last night. I don't know if there is normally a time delay
> between creating a new group and it becoming visible to UNIX? The
> first group appeared immediately; the second one (created seconds
> after the first) definitely didn't. Last night I also checked the
> other DCs (using ADUC) and they all had both groups visible.

It might be an idea to check if replication is working, it should be 
fairly quick, seconds not minutes.

>
> I've just checked my samba config and I am using "server services =
> -dns +winbind -winbindd" on this DC, together with sssd for user/group
> resolution on my DC (and bind9 for DNS).. so perhaps any time delay
> could be explained by something inside sssd (I must try clearing the
> cache if this happens again) - I'm willing to believe that is the case
> there. However, this would not have any affect on ADUC.

Does the group line in /etc/nsswitch look like this: 'group compat 
winbind' or 'group compat sss' (compat could be files) , if it is the 
later, then your getent problem isn't a Samba problem.

>
>
> - ADUC now gives me this same 'Unwilling To Perform' error whenever I
> open the UNIX attributes of *any* group, now. Last night I'm fairly
> sure that I only experienced the error when looking at the new group.
> This error comes up in ADUC whenever I look at the 'UNIX Attributes'
> tab of a group with a NIS Domain and GID defined. If I look at a group
> that does not have a NIS domain set, there is no error shown. I have
> restarted the Windows client (no difference) but not the Samba server
> this time.

The ADUC error is fairly common and it usually does work, it just says 
it doesn't

>
>
> So, I am no longer as sure as I was, where to look next :( As I
> previously said, I have had this error before (pretty sure on multiple
> client VMs) but it has somehow "gone away" by itself in the past. I'd
> like to get to the bottom of it whilst it's happening though, if I
> can.
>
> Fully patched Windows 7 VM client running ADUC; Samba 4.2.2 built from
> source and installed on CentOS 6.6 x64.
>
> Group 1 looks like this:
>
> # ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'dc=b-bbbbbb,dc=bbbbb,dc=bbb,dc=bb'
> '(&(objectclass=group)(samaccountname=123-aaa-aaaaa-a*))'
> # record 1
> dn: CN=123-aaa-aaaaa-AA,OU=123,DC=b-bbbbbb,DC=bbbbb,DC=bbb,DC=bb
> objectClass: top
> objectClass: group
> instanceType: 4
> whenCreated: 20151023220054.0Z
> uSNCreated: 38590
> objectGUID: cf305e6b-d3cd-4108-bb06-09b7d0479d90
> objectSid: S-1-5-21-ccccccccc-cccccccccc-cccccccccc-2642
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=b-bbbbbb,DC=bbbbb,DC=bb
>   b,DC=bb
> sAMAccountName: 123-aaa-aaaaa-AA
> cn: 123-aaa-aaaaa-AA
> name: 123-aaa-aaaaa-AA
> description: description of group-AA
> msSFU30NisDomain: B-BBBBBB
> gidNumber: 10055
> msSFU30Name: 123-aaa-aaaaa-AA
> member: CN=My User,OU=Users,OU=123,DC=b-bbbbbb,DC=bbbbb,DC=bbb,DC=bb
> whenChanged: 20151023230917.0Z
> uSNChanged: 38619
> distinguishedName: CN=123-aaa-aaaaa-AA,OU=123,DC=b-bbbbbb,DC=bbbbb,DC=bbb,DC=b
>   b
>
> # record 2
> (pretty much the same; some attributes were returned in a different
> order, and the GUID/SID are different of course)
>
>
>

There doesn't seem to be anything wrong with ldif.

Rowland