[Samba] AD Group update lag / cache, firewall related?

Rowland Penny rpenny at samba.org
Fri Aug 25 17:28:33 UTC 2017


On Fri, 25 Aug 2017 17:03:11 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:

> # wbinfo -n working-group | awk '{print $1}' | awk -F '-' '{print $8}'
> 69153
> 
> # wbinfo -n problem-group | awk '{print $1}' | awk -F '-' '{print $8}'
> 136399
> 
> The OS can use that group:-
> 
> # chgrp problem-group test.txt 
> # ls -asl test.txt 
> 0 -rw-r--r-- 1 root problem-group 0 Aug 25 17:55 test.txt
> #
> 
> It's not a case that the group is unavailable... it is that the users
> group membership is incomplete:-
> 
> server02:/tmp # for i in `wbinfo -r joeuser`; do getent group $i;
> done | wc -l 119
> 
> server01:/tmp # for i in `wbinfo -r joeuser`; do getent group $i;
> done | wc -l 155
> 
> I must admit that I expected that upgrading from Samba 3.6 to 4.6
> would resolve this, but it did not!... and since a similarly
> configured server which is on the same LAN as the AD controller does
> not have this issue... while these servers are firewalled from the AD
> controller... I'm lead to believe that some of the needed chatter
> between the AD controller and the server is blocked... but I'm
> slightly at a loss to find out what.
> 

For port usage, see here:

https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage

It is just the same as a windows DC.

The lack of group membership might not be a real problem, it may just
be a lack of displaying group membership.

try creating a file in the a share, chown to
'someotheruser:'problemgroup' with permissions set to 0770, now see if
your user can open, change and save the file.

Rowland



More information about the samba mailing list