[Samba] Fwd: group membership inconsistency on AD domain member

Matthias Leopold matthias.leopold at meduniwien.ac.at
Fri Feb 1 17:45:27 UTC 2019 

OK, I screwed it, please read the example as

# getent group 'FOOBAR\testgroup'
FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user02

# wbinfo -r 'FOOBAR\user01' | grep -c 13688
1

# wbinfo -r 'FOOBAR\user02' | grep -c 13688
0


-------- Weitergeleitete Nachricht --------
Betreff: [Samba] group membership inconsistency on AD domain member
Datum: Fri, 1 Feb 2019 18:00:51 +0100
Von: Matthias Leopold via samba <samba at lists.samba.org>
Antwort an: Matthias Leopold <matthias.leopold at meduniwien.ac.at>
An: samba at lists.samba.org

Hi,

I've been running a samba server with winbind (CentOS 7) as a member of 
an AD Domain (Windows 2012 R2) for several months without a problem. 
"Suddenly" I'm seeing the problem that the membership in newly created 
AD groups isn't correctly visible for some users on the samba server or 
only after some indefinite amount of time. I'm looking simply at the 
output of the 'id' command. This information is always consistent with 
the output of 'wbinfo -r', so I don't think it's a NSS problem. The 
"funny" thing is that this doesn't apply to all of the members of the 
newly created group, only for some of them.

On the DC i checked the affected users with the powershell command 
"get-aduser $username -Properties memberof | select -expand memberof", 
everything is correct.

To my experience the problem goes away after some time (a couple of 
hours) for some users, again not all of them. I fiddled with some 
winbind options in smb.conf, restarted winbind a couple of times, used 
"net cache flush", none of these changed anything. I didn't restart the 
AD or smbd though. Can anybody give me a hint?

thx
matthias

Example (i temporarily set "winbind expand groups = 1" to use "getent 
group", but this doesn't affect the problem):

# getent group 'FOOBAR\testgroup'
FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user01

# wbinfo -r 'FOOBAR\user01' | grep -c 13688
1

# wbinfo -r 'FOOBAR\user01' | grep -c 13688
0


smb.conf:

[global]
          load printers = No
          log file = /var/log/samba/log.smbd
          realm = FOOBAR.DOMAIN.TLD
          security = ADS
          unix extensions = No
          workgroup = FOOBAR
          idmap config foobar : range = 10000-999999
          idmap config foobar : backend = rid
          idmap config * : range = 3000-7999
          idmap config * : backend = tdb
          map acl inherit = Yes
          store dos attributes = Yes
          strict sync = No


[exampleshare]
          browseable = No
          path = /srv/samba01/lv01/exampleshare
          read only = No
          vfs objects = acl_xattr





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list