[Samba] Group issues on AD DC, membership does not work on some users

Oleg Blyahher oleg.blyahher at bluetest.se
Wed Apr 22 09:51:38 UTC 2020

Hi everyone,

I'm running Samba 4.7.6 on Ubuntu 18.04.

I have an issue with adding users to groups with samba-tool, not really 
sure where to look for more info. samba -i didn't show anything at all.

This is what I do:

*samba-tool group add new-group**
**samba-tool group addmembers new-group my-user*

if I run *id my-user *or *groups my-user*, then the group *new-group 
*does not appear there. It does, however, appear if I check in LDAP 
(samba-tool user edit my-user).

This becomes a problem when I set ACLs in a domain-joined file share 
server - users who are members of certain groups cannot access files and 
folders belonging to the groups they are a part of.

I can also add that this server used to be a a non-DC Samba server, and 
that the GIDs go first between 1000-1027 (the oldest ones) and then 
between 5888-6012.

The strange thing is that it only occurs to some users - most don't have 
that issue at all. I've tried adding different types of users to 
different groups, couldn't really find any pattern. Many times the 
domain-joined server gives a more accurate output of *id* *user *than 
the DC - a user might be in a group, but the DC won't show it, while a 
server joined to the DC actually will.

Here is my smb.conf:

[global] workgroup = company realm = INTERNAL.COMPANY.COM netbios name = 
dc server string = Zentyal Server server role = dc server role 
check:inhibit = yes server services = -dns server signing = auto 
dsdb:schema update allowed = yes ldap server require strong auth = no 
drs:max object sync = 1200 ntlm auth = mschapv2-and-ntlmv2-only 
idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups 
= yes template shell = /bin/bash template homedir = /home/%U tls enabled 
= yes tls keyfile = /var/lib/zentyal/conf/ssl/ssl.pem tls certfile = 
/var/lib/zentyal/conf/ssl/ssl.pem tls cafile = interfaces = lo,ens3 bind 
interfaces only = yes map to guest = Bad User log level = 3 log file = 
/var/log/samba/samba.log max log size = 100000 include = 
/etc/samba/shares.conf [netlogon] path = 
/var/lib/samba/sysvol/internal.company.com/scripts browseable = no read 
only = yes [sysvol] path = /var/lib/samba/sysvol read only = no

Any ideas are highly appreciated here. Thanks!


More information about the samba mailing list