[Samba] AD Group update lag / cache, firewall related?
Rowland Penny
rpenny at samba.org
Fri Aug 25 17:28:33 UTC 2017
On Fri, 25 Aug 2017 17:03:11 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> # wbinfo -n working-group | awk '{print $1}' | awk -F '-' '{print $8}'
> 69153
>
> # wbinfo -n problem-group | awk '{print $1}' | awk -F '-' '{print $8}'
> 136399
>
> The OS can use that group:-
>
> # chgrp problem-group test.txt
> # ls -asl test.txt
> 0 -rw-r--r-- 1 root problem-group 0 Aug 25 17:55 test.txt
> #
>
> It's not a case that the group is unavailable... it is that the users
> group membership is incomplete:-
>
> server02:/tmp # for i in `wbinfo -r joeuser`; do getent group $i;
> done | wc -l 119
>
> server01:/tmp # for i in `wbinfo -r joeuser`; do getent group $i;
> done | wc -l 155
>
> I must admit that I expected that upgrading from Samba 3.6 to 4.6
> would resolve this, but it did not!... and since a similarly
> configured server which is on the same LAN as the AD controller does
> not have this issue... while these servers are firewalled from the AD
> controller... I'm lead to believe that some of the needed chatter
> between the AD controller and the server is blocked... but I'm
> slightly at a loss to find out what.
>
For port usage, see here:
https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
It is just the same as a windows DC.
The lack of group membership might not be a real problem, it may just
be a lack of displaying group membership.
try creating a file in the a share, chown to
'someotheruser:'problemgroup' with permissions set to 0770, now see if
your user can open, change and save the file.
Rowland
More information about the samba
mailing list