[Samba] group membership inconsistency on AD domain member
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Mon Feb 4 09:47:19 UTC 2019
"net cache samlogon delete" helped me solve the problem, i didn't know
about this command before
matthias
Am 01.02.19 um 18:00 schrieb Matthias Leopold:
> Hi,
>
> I've been running a samba server with winbind (CentOS 7) as a member of
> an AD Domain (Windows 2012 R2) for several months without a problem.
> "Suddenly" I'm seeing the problem that the membership in newly created
> AD groups isn't correctly visible for some users on the samba server or
> only after some indefinite amount of time. I'm looking simply at the
> output of the 'id' command. This information is always consistent with
> the output of 'wbinfo -r', so I don't think it's a NSS problem. The
> "funny" thing is that this doesn't apply to all of the members of the
> newly created group, only for some of them.
>
> On the DC i checked the affected users with the powershell command
> "get-aduser $username -Properties memberof | select -expand memberof",
> everything is correct.
>
> To my experience the problem goes away after some time (a couple of
> hours) for some users, again not all of them. I fiddled with some
> winbind options in smb.conf, restarted winbind a couple of times, used
> "net cache flush", none of these changed anything. I didn't restart the
> AD or smbd though. Can anybody give me a hint?
>
> thx
> matthias
>
> Example (i temporarily set "winbind expand groups = 1" to use "getent
> group", but this doesn't affect the problem):
>
> # getent group 'FOOBAR\testgroup'
> FOOBAR\testgroup:x:13688:FOOBAR\user01,FOOBAR\user01
>
> # wbinfo -r 'FOOBAR\user01' | grep -c 13688
> 1
>
> # wbinfo -r 'FOOBAR\user01' | grep -c 13688
> 0
>
>
> smb.conf:
>
> [global]
> load printers = No
> log file = /var/log/samba/log.smbd
> realm = FOOBAR.DOMAIN.TLD
> security = ADS
> unix extensions = No
> workgroup = FOOBAR
> idmap config foobar : range = 10000-999999
> idmap config foobar : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> map acl inherit = Yes
> store dos attributes = Yes
> strict sync = No
>
>
> [exampleshare]
> browseable = No
> path = /srv/samba01/lv01/exampleshare
> read only = No
> vfs objects = acl_xattr
>
>
>
>
--
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 /Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200
More information about the samba
mailing list