[Samba] winbind inconsistent group membership

Rowland Penny rpenny at samba.org
Tue Oct 10 18:20:33 UTC 2017 

On Tue, 10 Oct 2017 12:54:11 -0500
Arthur Ramsey via samba <samba at lists.samba.org> wrote:

> I have 4 Samba 4.7.0 DCs.  I have 3 clients using
> samba-winbind.x86_64 0:4.6.2-11.el7_4 with an identical
> configuration, which produce inconsistent user group membership for
> multiple users.  I've tried using all 4 DCs explicitly (e.g., realm =
> dc01.mediture.dom), net cache flush and restarting winbind.  I've
> also tested cloning a user and setting up the user as identical as
> possible: the cloned user showed the correct membership but not the
> original.  The ldapcmp tools finds no relevant differences between
> DCs.
> 
> I've had this issue through multiple versions of Samba on each side, 
> which I believe includes winbind from samba 3.
> 

This is a known problem, if you go here:
https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Samba_4.6.0

Amongst the information, is this:

winbind changes

winbind contains code that tries to emulate the group membership calculation that domain controllers do when a user logs in. This group membership calculation is a very complex process, in particular for domain trust relationship situations. Also, in many scenarios it is impossible for winbind to correctly do this calculation due to access restrictions in the domains: winbind using its machine account simply does not have the rights to ask for an arbitrary user's group memberships.

When a user logs in to a Samba server, the domain controller correctly calculates the user's group memberships authoritatively and makes the information available to the Samba server. This is the only reliable way Samba can get informed about the groups a user is member of.

Because of its flakiness, the fallback group membership code is unwished, and our code pathes try hard to only use of the group memberships calculated by the domain controller.

However, a lot of admins rely on the fallback behavior in order to support access for nfs access, ssh public key authentication and passwordless sudo.

That's the reason for changing this back between 4.6.0rc4 and 4.6.0 (See BUG #12612).

The winbind change to simplify the calculation of supplementary groups to make it more reliable and predictable has been deferred to 4.7 or later.

This means that "id <username>" without the user having logged in
previously stops showing any supplementary groups. Also, it will show
"DOMAIN\Domain Users" as the primary group. Once the user has logged
in, "id <username>" will correctly show the primary group and
supplementary group list. 

Or to put it another way, you cannot rely on the user groups from
winbind.

Rowland

More information about the samba mailing list