[Samba] missing group affiliation on ad dc
basti.mueller31 at web.de
basti.mueller31 at web.de
Mon Oct 8 16:31:40 UTC 2018
Hi Rowland,
>> Hi,
>>
>> I've a strange problem. I migrated my NT4 PDC to a ad on my debian
>> stretch (samba version is 4.5.12).
>>
>> The Domain Controller has some shares for my users.
>>
>> One user just told me he can't access the share...before the
>> migration he was able to access the share btw! So I checked the ACL's
>> of this share.
>>
>> Its:
>> root at server:~# getfacl /media/exampleshare
>> # file: media/exampleshare
>> # owner: EXAMPLE\134fileadmin
>> # group: EXAMPLE\134mitarbeiter
>> user::rwx
>> group::---
>> group:BUILTIN\134administrators:rwx
>> group:EXAMPLE\134sharegroup:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:group::---
>> default:group:EXAMPLE\134sharegroup:rwx
>> default:mask::rwx
>> default:other::---
>>
>>
>> After this I did a "groups exampleuser" on my domain controller:
>> root at server:~# groups exampleuser
>> exampleuser : EXAMPLE\domain users EXAMPLE\remotedesktop
>> EXAMPLE\mitarbeiter
>>
>> but there is no "EXAMPLE\sharegroup"....so everything make sense..
> You cannot rely on the output of 'groups' etc unless the user has
> logged in.
>>
>> anyway.. if I do a "samba-tool group listmembers sharegroup" on my
>> domain controller I see the user in this list! >.< If I just run RSAT
>> Active Directory User and Computers I see it too! The user is member
>> of the sharegroup.
> Then the user is a member of 'sharegroup', the samba-tool command
> searches AD for 'memberOf' attributes containing the DN of the group
> and then prints the samAccountName from the 'memberOf' attributes.
It seems like not because the user can't access the nfs3-share because of permission. Anything else I could check?
More information about the samba
mailing list