[Samba] missing group affiliation on ad dc
Rowland Penny
rpenny at samba.org
Mon Oct 8 15:42:29 UTC 2018
On Mon, 8 Oct 2018 17:08:05 +0200
basti mueller via samba <samba at lists.samba.org> wrote:
> Hi,
>
> I've a strange problem. I migrated my NT4 PDC to a ad on my debian
> stretch (samba version is 4.5.12).
>
> The Domain Controller has some shares for my users.
>
> One user just told me he can't access the share...before the
> migration he was able to access the share btw! So I checked the ACL's
> of this share.
>
> Its:
> root at server:~# getfacl /media/exampleshare
> # file: media/exampleshare
> # owner: EXAMPLE\134fileadmin
> # group: EXAMPLE\134mitarbeiter
> user::rwx
> group::---
> group:BUILTIN\134administrators:rwx
> group:EXAMPLE\134sharegroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:EXAMPLE\134sharegroup:rwx
> default:mask::rwx
> default:other::---
>
>
> After this I did a "groups exampleuser" on my domain controller:
> root at server:~# groups exampleuser
> exampleuser : EXAMPLE\domain users EXAMPLE\remotedesktop
> EXAMPLE\mitarbeiter
>
> but there is no "EXAMPLE\sharegroup"....so everything make sense..
You cannot rely on the output of 'groups' etc unless the user has
logged in.
>
> anyway.. if I do a "samba-tool group listmembers sharegroup" on my
> domain controller I see the user in this list! >.< If I just run RSAT
> Active Directory User and Computers I see it too! The user is member
> of the sharegroup.
Then the user is a member of 'sharegroup', the samba-tool command
searches AD for 'memberOf' attributes containing the DN of the group
and then prints the samAccountName from the 'memberOf' attributes.
Rowland
More information about the samba
mailing list