[Samba] winbind inconsistent group membership
Arthur Ramsey
arthur_ramsey at mediture.com
Tue Oct 10 17:54:11 UTC 2017
I have 4 Samba 4.7.0 DCs. I have 3 clients using samba-winbind.x86_64
0:4.6.2-11.el7_4 with an identical configuration, which produce
inconsistent user group membership for multiple users. I've tried using
all 4 DCs explicitly (e.g., realm = dc01.mediture.dom), net cache flush
and restarting winbind. I've also tested cloning a user and setting up
the user as identical as possible: the cloned user showed the correct
membership but not the original. The ldapcmp tools finds no relevant
differences between DCs.
I've had this issue through multiple versions of Samba on each side,
which I believe includes winbind from samba 3.
Client config:
[global]
#--authconfig--start-line--
workgroup = MEDITURE
password server = dc01.mediture.dom vsc-dc02.mediture.dom aws-dc01.mediture.dom epo-dc01.mediture.dom
realm = MEDITURE.DOM
security = ads
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
#--authconfig--end-line--
server string = Samba Server Version %v
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
passdb backend = tdbsam
winbind cache time = 900
winbind refresh tickets = yes
winbind offline logon = yes
winbind use default domain = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
kerberos method = secrets and keytab
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
idmap config MEDITURE: backend = ad
idmap config MEDITURE: range = 10000-49999
idmap config MEDITURE: schema mode = rfc2307
DC config:
[global]
log level = 1 auth_audit:3
workgroup = MEDITURE
realm = MEDITURE.DOM
netbios name = DC01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
template homedir = /home/%U
template shell = /bin/bash
server string = Samba Server Version %v
server max protocol = SMB3
# allow trusted domains = no
ldap server require strong auth = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind use default domain = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
kerberos method = secrets and keytab
idmap_ldb:use rfc2307 = yes
# idmap config *: backend = tdb
# idmap config *: range = 90000001-100000000
# idmap config MEDITURE: backend = ad
# idmap config MEDITURE: range = 10000-49999
# idmap config MEDITURE: schema mode = rfc2307
kccsrv:samba_kcc = false
[netlogon]
path = /usr/local/samba/var/locks/sysvol/mediture.dom/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[deploy]
path = /usr/local/samba/var/deploy
read only = No
Example:
[root at appdb03 ~]# wbinfo -r mikes
10513
11143
10516
11162
90000002
[root at qa503 ~]# wbinfo -r mikes
10513
90000002
[root at great02 ~]# wbinfo -r mikes
10513
90000002
Thanks,
Arthur
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
More information about the samba
mailing list