[Samba] Samba 4 with sssd - primary Windows group membership not honored

Joseph Dickson jdickson at evolvetsi.com
Wed Mar 23 15:32:06 UTC 2016


I am working with Samba 4 as a domain member fileserver (not a domain
controller, just a normal ads member fileserver).  Operating system is
Centos 7.  SSSD is configured and pulling information correctly.

I had to work around a bug that wasn't fixed in a released version, so I am
using a recent copy from git.. smbd -V:
Version 4.5.0pre1-GIT-c06058a

I'm relying on Windows ACLs for access control.  Many of my ACLs reference
the Domain Users group.  What I'm seeing is that if a user has "Domain
Users" as their primary group (which is common here) that the "Domain
Users" group doesn't show up in their list of SIDs.  If a different group
is primary for that user, then "Domain Users" will show up in the SID list
and Samba will allow access properly (though the new primary group won't
work correctly)

Is there some magic somewhere that I'm missing with how Samba 4 treats the
primary windows group?  It's definitely hard to keep straight which parts
of the system are responsible for SID mapping and management once you add
in winbind and sssd..

Any pointers would be very appreciated.  If there is any debug output that
I can provide, I would be happy to..



*Joseph Dickson*
Director of IT Systems, Evolve Tele-Services, Inc.

More information about the samba mailing list