[Samba] Odd behavior on group membership
Marcio Vogel Merlone dos Santos
marcio.merlone at a1.ind.br
Wed Nov 28 10:48:07 UTC 2018
Hi Rowland,
Those tests were made on DC (araucaria), not a domain member.
root at araucaria:~# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
ldap server require strong auth = No
log file = /var/log/samba/%m.log
ntlm auth = ntlmv1-permitted
passdb backend = samba_dsdb
realm = AD.TLD
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
template homedir = /home/usuarios/%U
template shell = /bin/bash
wins support = Yes
workgroup = A1
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/ad.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
root at araucaria:~#
Em 27/11/2018 17:14, Rowland Penny via samba escreveu:
> On Tue, 27 Nov 2018 16:39:41 -0200
> Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> I have a samba 4.7 AD DC running on a Ubuntu 18.04 server with distro
>> packages. I update a user with a new group and this new membership is
>> not reflected on that user. On example below, I can successfully add
>> the user "test.account" to group "test", but not my user
>> "marcio.merlone":
>>
>> root at araucaria:~# id test.account
>> uid=30214(A1\test.account) gid=100(users)
>> groups=100(users),3000008(BUILTIN\users)
>> root at araucaria:~# samba-tool group addmembers test test.account
>> Added members to group test
>> root at araucaria:~# id test.account
>> uid=30214(A1\test.account) gid=100(users)
>> groups=100(users),3000203(A1\test),3000008(BUILTIN\users)
>>
>> User test.account was added successfully to group test. Although:
>>
>> root at araucaria:~# samba-tool group addmembers test marcio.merlone
>> Added members to group test
>> root at araucaria:~# id marcio.merlone
>> uid=1014(A1\marcio.merlone) gid=100(users)
>> groups=100(users),512(A1\domain
>> admins),3000008(BUILTIN\users),10012(BUILTIN\administrators)
>> root at araucaria:~#
>>
>> Group "test" does not show up. Also tried changing groups using ADUC
>> and LDAP Account Manager, no diff.
>>
>> Those tests where made on DC for debugging purposes, but I need this
>> membership change reflected on a member server running squid proxy.
>> Tracked down to DC not working as expected also. Same happens when
>> removing a group membership.
>>
>> Already tried net cache flush, winbind + smbd + nmbd restart,
>> removing tdb files from /var/lib, no luck.
>>
>> Any thoughts?
>>
> Is this on a Unix domain member ?
>
> gid=100(users) shows that this is probably on a DC and 'Domain Users'
> doesn't have a gidNumber (unless it is set to '100')
>
> 10012(BUILTIN\administrators) shows that 'administrators' does have a
> gidNumber
>
> 'winbind + smbd + nmbd restart' would suggest it is a Unix domain member
Oh, God, you are right, my bad. Should have restarted ad-dc.
--
*Marcio Merlone*
More information about the samba
mailing list