[Samba] Samba 4 with sssd - primary Windows group membership not honored

Harry Jede walk2sun at arcor.de
Thu Mar 24 11:46:00 UTC 2016

Hi Joe,

> Greetings!
> I am working with Samba 4 as a domain member fileserver (not a domain
> controller, just a normal ads member fileserver).  Operating system
> is Centos 7.  SSSD is configured and pulling information correctly.
> I had to work around a bug that wasn't fixed in a released version,
> so I am using a recent copy from git.. smbd -V:
> Version 4.5.0pre1-GIT-c06058a
> I'm relying on Windows ACLs for access control.  Many of my ACLs
> reference the Domain Users group.  What I'm seeing is that if a user
> has "Domain Users" as their primary group (which is common here)
> that the "Domain Users" group doesn't show up in their list of SIDs.
>  If a different group is primary for that user, then "Domain Users"
> will show up in the SID list and Samba will allow access properly
> (though the new primary group won't work correctly)
> Is there some magic somewhere that I'm missing with how Samba 4
> treats the primary windows group?
No, I believe the magic you are searching for is nss.

Their is one group which is defined two times, the name of this group is 
users. The nss stops searching if a definition is found.

You may have 3 possiblities:

1) change the order in /etc/nsswitch.conf
   *Not recommended*

2) rename/delete users in /etc/group
   *Not really recommended* but will work

3) use an other group name for users in ad and map Domain Users
   to this group, choose a gid other then 100

> It's definitely hard to keep
> straight which parts of the system are responsible for SID mapping
> and management once you add in winbind and sssd..
> Any pointers would be very appreciated.  If there is any debug output
> that I can provide, I would be happy to..
> Thanks!
> Joe
> --
> *Joseph Dickson*
> Director of IT Systems, Evolve Tele-Services, Inc.


	Harry Jede

More information about the samba mailing list