[Samba] AD Group lost from Winbind

Rowland penny rpenny at samba.org
Fri Feb 12 08:54:46 UTC 2016 

On 12/02/16 08:20, L.P.H. van Belle wrote:
> Ok, im having this :  > > DC's Debian Wheezy 7.9, sernet samba 4.2.8 > > > Member servers. 
Debian Jessie samba 4.1.17 ( fileserver ) Debian > Jessie samba 4.2.7  ( 
print server ) This one isnt updated yet with > latest updates. > > The 
following packages have been kept back: samba sernet-samba > 
sernet-samba-client sernet-samba-common sernet-samba-libs > 
sernet-samba-libsmbclient0 sernet-samba-winbind The following > packages 
will be upgraded: krb5-locales krb5-user libgssapi-krb5-2 > libgssrpc4 
libk5crypto3 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 > libkrb5-3 
libkrb5support0 libtiff5 > > on this one all id's are still correct. > > 
Thanks, Daniel Müller, for your addition.. > > This is really a big 
problem.. what happend her in the samba code? > I've looked at the 
change log, but cant seen any related to this. > > So if anyone DEVS ? 
know what happend here in the samba code. As far > as i now know i have 
to. Re-assign all my  uid / gids on all users / > groups, with other 
id's, omg wat a hell... And fix all idmaps on all > servers.. pff. ... 
really no other fix ? > > There goes my weekend... > > > Greetz, > > 
Louis > > > >> -----Oorspronkelijk bericht----- Van: Oliver Werner >> 
[mailto:oliver.werner at kontrast.de] Verzonden: vrijdag 12 februari >> 
2016 9:06 Aan: L.P.H. van Belle CC: samba at lists.samba.org >> Onderwerp: 
Re: [Samba] AD Group lost from Winbind >> >> my os is debian 8.3 >> >> 
win bind and samba are in version 4.1.17 >> >> >>> Am 12.02.2016 um 
08:58 schrieb L.P.H. van Belle >>> <belle at bazuin.nl>: >>> >>> Ok, same 
problem as im having.. >>> >>> What is your os running? >>> >>> >>>> 
-----Oorspronkelijk bericht----- Van: samba >>>> 
[mailto:samba-bounces at lists.samba.org] Namens Oliver Werner >>>> 
Verzonden: vrijdag 12 februari 2016 8:56 Aan: >>>> samba at lists.samba.org 
Onderwerp: [Samba] AD Group lost from >>>> Winbind >>>> >>>> Hello, >>>> 
 >>>> the last two days i have problems with my AD group which is >>>> 
defined in share setting valid users >>>> >>>> Winbind looks to lost 
mapping of this group and so no user can >>>> connect >> to >>>> this 
share anymore. >>>> >>>> When restart winbind service mapping works 
again until mapping >>>> lost >> again. >>>> >>>> >>>> ls -lsa shows me 
in issue this: >>>> >>>> 2      4 drwxr-x---  63 root               
12001 4096 Feb  4 >>>> 23:42 Share >>>> >>>> After restarting winbind: 
 >>>> >>>> 2      4 drwxr-x---  63 root               group_intern 4096 
 >>>> Feb  4 23:42 Share >>>> >>>> >>>> My smb.conf looks like >>>> >>>> 
 >>>> [global] netbios name = MEMBER1 security = ADS workgroup = HQ >>>> 
realm = hq.internal >>>> >>>> log file = /var/log/samba/%m.log log level 
= 1 >>>> >>>> dedicated keytab file = /etc/krb5.keytab kerberos method = 
 >>>> secrets and keytab winbind refresh tickets = yes >>>> >>>> winbind 
trusted domains only = no winbind use default domain = >>>> yes winbind 
enum users  = yes winbind enum groups = yes winbind >>>> cache time = 
300 >>>> >>>> >>>> idmap config *:backend = tdb idmap config *:range = 
500-9999 >>>> >>>> # idmap config for domain HQ idmap config HQ:backend 
= ad idmap >>>> config HQ:schema_mode = rfc2307 idmap config HQ:range = 
 >>>> 10000-99999 >>>> >>>> # Use settings from AD for login shell and 
home directory >>>> winbind nss info = rfc2307 >>>> >>>> [Share] path = 
/data/share browseable = yes writeable = yes >>>> force group = 
Group_Intern valid users = @Group_Intern create >>>> mask = 0660 
directory mask = 0770 #oplocks = 0 vfs objects = >>>> full_audit recycle 
full_audit:prefix = %u full_audit:success = >>>> mkdir rename rmdir 
unlink pwrite full_audit:failure = none >>>> full_audit:facility = 
LOCAL5 full_audit:priority = NOTICE >>>> recycle:versions = yes 
recycle:exclude = .*, ~* >>>> >>>> >>>> >>>> Anyone has an idea for this 
problem? >>>> >>>> >>>> Regards Oliver -- To unsubscribe from this list 
go to the >>>> following URL and read the instructions: >>>> 
https://lists.samba.org/mailman/options/samba >>> >>> >>> -- To 
unsubscribe from this list go to the following URL and read >>> the 
instructions:  https://lists.samba.org/mailman/options/samba > > >

Well, I did say that I could never get the lines you add to smb.conf on 
a DC to work :-)

Lets see if I understand the situation correctly.

Users & groups have been given a uidNumber or gidNumber attribute.

You are now getting different results on different DCs.
You used to get the same results and all that has changed is the version 
of Samba.

If the above is correct, I think you need to log a bug report, it might 
help if you can supply a level 10 log from asking for 'getent group 
Domain\ Users' on both DCs

Rowland

More information about the samba mailing list