[Samba] Samba with Winbind Doesn't See New AD Groups

Ralph Boehme slow at samba.org
Thu Oct 17 08:29:13 UTC 2019

On 10/16/19 9:49 PM, Rowland penny via samba wrote:
> On 16/10/2019 20:32, Ralph Boehme wrote:
>> On 10/16/19 9:04 PM, Rowland penny via samba wrote:
>>> On 16/10/2019 19:37, Ralph Boehme via samba wrote:
>>>> On 10/16/19 8:10 PM, Bill Riner wrote:
>>>>> I am logged in as root to one of the clustered Samba servers.
>>>>> Normally when a group is added to AD, it shows up using
>>>>> # getent -s winbind group {group_name}
>>>>> In this case, the group Drug_Discovery_Team_Meetings exists in AD,
>>>>> but I don’t see it using getent.
>>>> re-login that user over SMB.
>>>> -slow
>>> I do not think that will help, ...
>> if the user has logged in before over SMB, there will be a netsamlogon
>> cache entry containing the user's groups as passed to us by a DC as part
>> of the PAC. Samba will use this cached group info until the user logs in
>> again (over SMB) which will tell us the updated groups from AD.
>> -slow
> It shouldn't matter if the user is logged in or not,

correct. What matters, is that if the user logged in *over SMB* in the
past, Samba will cache his group info-

> 'getent' is asking
> AD about a group. If you add the group 'Drug_Discovery_Team_Meetings' to
> AD and use wbinfo to check if it is there, you should get something like
> this:
> root at dc4:~# wbinfo -g | grep drug_discovery_team_meetings
> SAMDOM\drug_discovery_team_meetings

yes, you will see it with wbinfo -g, but you won't see it with `id USER`.

> If you now go to a Unix domain member, you should get the same result,

It depends: wbinfo -g: yes, id: no.

> but 'getent' producing output will depend on what winbind backend is in
> use.

This is of course also true.

> If the 'rid' backend is being used, then you should get output. If
> the 'ad' backend is being used, you may or you may not get output, it
> will depend on whether the group has been given a gidNumber attribute or
> not.

This is correct for the idmapping subsytem. But you seem not be familiar
with the netsamlogon cache.
> This is the output of getent run approx 30 seconds after the group was
> given a gidNumber:
> rowland at devstation:~$ getent -s winbind group drug_discovery_team_meetings
> drug_discovery_team_meetings:x:10020:

Another example were you indeed see new groups without further
complication. But if you'd check a user who's been added to that group,
that user has logged in to the server before (over SMB), and you'd check
what id has to say for that use, you'll notice that the group will be

That's at least the current behaviour and probably is since quite a few
versions, but there have been changes in this area in the course of the
4.x series, so ymmv.

Let me know if you have further questions about the samlogon cache. Cf
`net cache samlogon list` and especially `net cache samlogon ndrdump
SID` to see what's cached for a user.


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

More information about the samba mailing list