[Samba] group membership inconsistency on AD domain member

Matthias Leopold matthias.leopold at meduniwien.ac.at
Mon Feb 4 09:47:19 UTC 2019


"net cache samlogon delete" helped me solve the problem, i didn't know 
about this command before

matthias

Am 01.02.19 um 18:00 schrieb Matthias Leopold:
> Hi,
> 
> I've been running a samba server with winbind (CentOS 7) as a member of 
> an AD Domain (Windows 2012 R2) for several months without a problem. 
> "Suddenly" I'm seeing the problem that the membership in newly created 
> AD groups isn't correctly visible for some users on the samba server or 
> only after some indefinite amount of time. I'm looking simply at the 
> output of the 'id' command. This information is always consistent with 
> the output of 'wbinfo -r', so I don't think it's a NSS problem. The 
> "funny" thing is that this doesn't apply to all of the members of the 
> newly created group, only for some of them.
> 
> On the DC i checked the affected users with the powershell command 
> "get-aduser $username -Properties memberof | select -expand memberof", 
> everything is correct.
> 
> To my experience the problem goes away after some time (a couple of 
> hours) for some users, again not all of them. I fiddled with some 
> winbind options in smb.conf, restarted winbind a couple of times, used 
> "net cache flush", none of these changed anything. I didn't restart the 
> AD or smbd though. Can anybody give me a hint?
> 
> thx
> matthias
> 
> Example (i temporarily set "winbind expand groups = 1" to use "getent 
> group", but this doesn't affect the problem):
> 
> # getent group 'FOOBAR\testgroup'
> FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user01
> 
> # wbinfo -r 'FOOBAR\user01' | grep -c 13688
> 1
> 
> # wbinfo -r 'FOOBAR\user01' | grep -c 13688
> 0
> 
> 
> smb.conf:
> 
> [global]
>          load printers = No
>          log file = /var/log/samba/log.smbd
>          realm = FOOBAR.DOMAIN.TLD
>          security = ADS
>          unix extensions = No
>          workgroup = FOOBAR
>          idmap config foobar : range = 10000-999999
>          idmap config foobar : backend = rid
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
>          map acl inherit = Yes
>          store dos attributes = Yes
>          strict sync = No
> 
> 
> [exampleshare]
>          browseable = No
>          path = /srv/samba01/lv01/exampleshare
>          read only = No
>          vfs objects = acl_xattr
> 
> 
> 
> 

-- 
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 /Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200



More information about the samba mailing list