[Samba] Samba with Winbind Doesn't See New AD Groups
Rowland penny
rpenny at samba.org
Wed Oct 16 19:49:07 UTC 2019
On 16/10/2019 20:32, Ralph Boehme wrote:
> On 10/16/19 9:04 PM, Rowland penny via samba wrote:
>> On 16/10/2019 19:37, Ralph Boehme via samba wrote:
>>> On 10/16/19 8:10 PM, Bill Riner wrote:
>>>> I am logged in as root to one of the clustered Samba servers.
>>>> Normally when a group is added to AD, it shows up using
>>>>
>>>> # getent -s winbind group {group_name}
>>>>
>>>> In this case, the group Drug_Discovery_Team_Meetings exists in AD,
>>>> but I don’t see it using getent.
>>> re-login that user over SMB.
>>>
>>>
>>> -slow
>>>
>> I do not think that will help, ...
> if the user has logged in before over SMB, there will be a netsamlogon
> cache entry containing the user's groups as passed to us by a DC as part
> of the PAC. Samba will use this cached group info until the user logs in
> again (over SMB) which will tell us the updated groups from AD.
>
> -slow
>
It shouldn't matter if the user is logged in or not, 'getent' is asking
AD about a group. If you add the group 'Drug_Discovery_Team_Meetings' to
AD and use wbinfo to check if it is there, you should get something like
this:
root at dc4:~# wbinfo -g | grep drug_discovery_team_meetings
SAMDOM\drug_discovery_team_meetings
If you now go to a Unix domain member, you should get the same result,
but 'getent' producing output will depend on what winbind backend is in
use. If the 'rid' backend is being used, then you should get output. If
the 'ad' backend is being used, you may or you may not get output, it
will depend on whether the group has been given a gidNumber attribute or
not.
This is the output of getent run approx 30 seconds after the group was
given a gidNumber:
rowland at devstation:~$ getent -s winbind group drug_discovery_team_meetings
drug_discovery_team_meetings:x:10020:
This is using the 'ad' backend and without anyone logging in (or out)
Rowland
More information about the samba
mailing list