[Samba] Samba no longer honoring secondary groups!

Jeremy Allison jra at samba.org
Thu May 5 22:51:51 UTC 2016

On Mon, May 02, 2016 at 01:01:07PM +0200, Roland Schwingel wrote:
> Hi...
> Out of sudden our samba file servers are no longer honoring
> secondary group membership.
> I appears that the fileservers are no longer seeing groups.
> When I do a 'net -U <domUser> rpc group list' on the PDC everything
> is fine. I can see all groups. When I do this on the fileservers I
> do not
> receive anything.
> We operate samba 4.3.9 both as classic PDC (for a couple of reason
> we cannot switch to AD) and as fileserver (domain members). Upgraded
> them
> today due to the problems from 4.3.x to 4.3.9. All machines are
> running solely smbd/nmbd no winbind.
> Today morning the fileservers which are joined domain members
> (security=DOMAIN) are denying write access to folders for users
> which
> are members of secondary groups. Writing with primary membership is
> working. It is NOT a linux problem. When working directly on linux
> (directly on the machine or via NFS) all is ok.
> Operating on shares served by a domaincontroller (added some for
> testing) secondary groups are working.
> Any ideas what could be wrong and how to fix it?

Debug level 10 logs showing the details inside the auth
are needed. Contrast with logs from an earlier version
that worked.

More information about the samba mailing list