[Samba] Samba 4 with sssd - primary Windows group membership not honored

Rowland penny rpenny at samba.org
Wed Mar 23 15:53:48 UTC 2016

See inline comments

On 23/03/16 15:32, Joseph Dickson wrote:
> Greetings!
> I am working with Samba 4 as a domain member fileserver (not a domain
> controller, just a normal ads member fileserver).  Operating system is
> Centos 7.  SSSD is configured and pulling information correctly.
> I had to work around a bug that wasn't fixed in a released version, so I am
> using a recent copy from git.. smbd -V:
> Version 4.5.0pre1-GIT-c06058a
> I'm relying on Windows ACLs for access control.  Many of my ACLs reference
> the Domain Users group.  What I'm seeing is that if a user has "Domain
> Users" as their primary group (which is common here)

As standard, every domain users primary group is 'Domain Users'

>   that the "Domain
> Users" group doesn't show up in their list of SIDs.

Again, as standard, no user shows as being a member of 'Domain Users'

>    If a different group
> is primary for that user, then "Domain Users" will show up in the SID list
> and Samba will allow access properly (though the new primary group won't
> work correctly)

To change a users primary group is a bit like jumping through hoops, you 
have to add the user to the group that you want to be the new primary 
group, then change the primaryGroupID attribute to contain the RID of 
the new group and then finally add the user to the 'Domain Users' group. 
If I were you, I wouldn't bother, as AD expects every users primary 
group to be 'Domain Users'.

> Is there some magic somewhere that I'm missing with how Samba 4 treats the
> primary windows group?  It's definitely hard to keep straight which parts
> of the system are responsible for SID mapping and management once you add
> in winbind and sssd..

You shouldn't really be using winbind and sssd together, select one and 
then remove the other.

> Any pointers would be very appreciated.  If there is any debug output that
> I can provide, I would be happy to..

If you decide to stick with sssd, then I would suggest you will get more 
and better help from the sssd users mailing list, but if you decide to 
use winbind instead, then this is the place to ask.


More information about the samba mailing list