[Samba] Group issues on AD DC, membership does not work on some users
Oleg Blyahher
oleg.blyahher at bluetest.se
Wed Apr 22 09:51:38 UTC 2020
Hi everyone,
I'm running Samba 4.7.6 on Ubuntu 18.04.
I have an issue with adding users to groups with samba-tool, not really
sure where to look for more info. samba -i didn't show anything at all.
This is what I do:
*samba-tool group add new-group**
**samba-tool group addmembers new-group my-user*
if I run *id my-user *or *groups my-user*, then the group *new-group
*does not appear there. It does, however, appear if I check in LDAP
(samba-tool user edit my-user).
This becomes a problem when I set ACLs in a domain-joined file share
server - users who are members of certain groups cannot access files and
folders belonging to the groups they are a part of.
I can also add that this server used to be a a non-DC Samba server, and
that the GIDs go first between 1000-1027 (the oldest ones) and then
between 5888-6012.
The strange thing is that it only occurs to some users - most don't have
that issue at all. I've tried adding different types of users to
different groups, couldn't really find any pattern. Many times the
domain-joined server gives a more accurate output of *id* *user *than
the DC - a user might be in a group, but the DC won't show it, while a
server joined to the DC actually will.
Here is my smb.conf:
[global] workgroup = company realm = INTERNAL.COMPANY.COM netbios name =
dc server string = Zentyal Server server role = dc server role
check:inhibit = yes server services = -dns server signing = auto
dsdb:schema update allowed = yes ldap server require strong auth = no
drs:max object sync = 1200 ntlm auth = mschapv2-and-ntlmv2-only
idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups
= yes template shell = /bin/bash template homedir = /home/%U tls enabled
= yes tls keyfile = /var/lib/zentyal/conf/ssl/ssl.pem tls certfile =
/var/lib/zentyal/conf/ssl/ssl.pem tls cafile = interfaces = lo,ens3 bind
interfaces only = yes map to guest = Bad User log level = 3 log file =
/var/log/samba/samba.log max log size = 100000 include =
/etc/samba/shares.conf [netlogon] path =
/var/lib/samba/sysvol/internal.company.com/scripts browseable = no read
only = yes [sysvol] path = /var/lib/samba/sysvol read only = no
Any ideas are highly appreciated here. Thanks!
Oleg
More information about the samba
mailing list