[Samba] group membership inconsistency on AD domain member
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Fri Feb 1 17:00:51 UTC 2019
Hi,
I've been running a samba server with winbind (CentOS 7) as a member of
an AD Domain (Windows 2012 R2) for several months without a problem.
"Suddenly" I'm seeing the problem that the membership in newly created
AD groups isn't correctly visible for some users on the samba server or
only after some indefinite amount of time. I'm looking simply at the
output of the 'id' command. This information is always consistent with
the output of 'wbinfo -r', so I don't think it's a NSS problem. The
"funny" thing is that this doesn't apply to all of the members of the
newly created group, only for some of them.
On the DC i checked the affected users with the powershell command
"get-aduser $username -Properties memberof | select -expand memberof",
everything is correct.
To my experience the problem goes away after some time (a couple of
hours) for some users, again not all of them. I fiddled with some
winbind options in smb.conf, restarted winbind a couple of times, used
"net cache flush", none of these changed anything. I didn't restart the
AD or smbd though. Can anybody give me a hint?
thx
matthias
Example (i temporarily set "winbind expand groups = 1" to use "getent
group", but this doesn't affect the problem):
# getent group 'FOOBAR\testgroup'
FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user01
# wbinfo -r 'FOOBAR\user01' | grep -c 13688
1
# wbinfo -r 'FOOBAR\user01' | grep -c 13688
0
smb.conf:
[global]
load printers = No
log file = /var/log/samba/log.smbd
realm = FOOBAR.DOMAIN.TLD
security = ADS
unix extensions = No
workgroup = FOOBAR
idmap config foobar : range = 10000-999999
idmap config foobar : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
strict sync = No
[exampleshare]
browseable = No
path = /srv/samba01/lv01/exampleshare
read only = No
vfs objects = acl_xattr
More information about the samba
mailing list