[Samba] Odd behavior on group membership

Marcio Vogel Merlone dos Santos marcio.merlone at a1.ind.br
Wed Nov 28 10:48:07 UTC 2018

Hi Rowland,

Those tests were made on DC (araucaria), not a domain member.

root at araucaria:~# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.

Press enter to see a dump of your service definitions

# Global parameters
         ldap server require strong auth = No
         log file = /var/log/samba/%m.log
         ntlm auth = ntlmv1-permitted
         passdb backend = samba_dsdb
         realm = AD.TLD
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         template homedir = /home/usuarios/%U
         template shell = /bin/bash
         wins support = Yes
         workgroup = A1
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         map readonly = no
         store dos attributes = Yes
         vfs objects = dfs_samba4 acl_xattr

         path = /var/lib/samba/sysvol/ad.tld/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No
root at araucaria:~#

Em 27/11/2018 17:14, Rowland Penny via samba escreveu:
> On Tue, 27 Nov 2018 16:39:41 -0200
> Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote:
>> Hi,
>> I have a samba 4.7 AD DC running on a Ubuntu 18.04 server with distro
>> packages. I update a user with a new group and this new membership is
>> not reflected on that user. On example below, I can successfully add
>> the user "test.account" to group "test", but not my user
>> "marcio.merlone":
>> root at araucaria:~# id test.account
>> uid=30214(A1\test.account) gid=100(users)
>> groups=100(users),3000008(BUILTIN\users)
>> root at araucaria:~# samba-tool group addmembers test test.account
>> Added members to group test
>> root at araucaria:~# id test.account
>> uid=30214(A1\test.account) gid=100(users)
>> groups=100(users),3000203(A1\test),3000008(BUILTIN\users)
>> User test.account was added successfully to group test. Although:
>> root at araucaria:~# samba-tool group addmembers test marcio.merlone
>> Added members to group test
>> root at araucaria:~# id marcio.merlone
>> uid=1014(A1\marcio.merlone) gid=100(users)
>> groups=100(users),512(A1\domain
>> admins),3000008(BUILTIN\users),10012(BUILTIN\administrators)
>> root at araucaria:~#
>> Group "test" does not show up. Also tried changing groups using ADUC
>> and LDAP Account Manager, no diff.
>> Those tests where made on DC for debugging purposes, but I need this
>> membership change reflected on a member server running squid proxy.
>> Tracked down to DC not working as expected also. Same happens when
>> removing a group membership.
>> Already tried net cache flush, winbind + smbd + nmbd restart,
>> removing tdb files from /var/lib, no luck.
>> Any thoughts?
> Is this on a Unix domain member ?
> gid=100(users) shows that this is probably on a DC and 'Domain Users'
> doesn't have a gidNumber (unless it is set to '100')
> 10012(BUILTIN\administrators) shows that 'administrators' does have a
> gidNumber
> 'winbind + smbd + nmbd restart' would suggest it is a Unix domain member

Oh, God, you are right, my bad. Should have restarted ad-dc.

*Marcio Merlone*

More information about the samba mailing list