[Samba] Group issues on AD DC, membership does not work on some users
Rowland penny
rpenny at samba.org
Wed Apr 22 10:29:16 UTC 2020
On 22/04/2020 10:51, Oleg Blyahher via samba wrote:
> Hi everyone,
>
> I'm running Samba 4.7.6 on Ubuntu 18.04.
Might be an idea to upgrade Samba, 4.7.x is EOL as far as Samba is
concerned, you can get later Samba versions here:
http://apt.van-belle.nl/
>
> I have an issue with adding users to groups with samba-tool, not
> really sure where to look for more info. samba -i didn't show anything
> at all.
>
> This is what I do:
>
> *samba-tool group add new-group**
> **samba-tool group addmembers new-group my-user*
>
> if I run *id my-user *or *groups my-user*, then the group *new-group
> *does not appear there. It does, however, appear if I check in LDAP
> (samba-tool user edit my-user).
Sounds like the affected user isn't logged in, you can only be sure of
getting a correct list of a users groups if the user is logged in.
>
> This becomes a problem when I set ACLs in a domain-joined file share
> server - users who are members of certain groups cannot access files
> and folders belonging to the groups they are a part of.
If the 'domain-joined file share server' is a Unix computer, then
possibly 'samba-tool group add new-group' isn't sufficient, the group
will not have a gidNumber attribute and if the 'idmap config' DOMAIN
backend is 'ad', then the group will be ignored.
>
> I can also add that this server used to be a a non-DC Samba server,
> and that the GIDs go first between 1000-1027 (the oldest ones) and
> then between 5888-6012.
This shouldn't be a problem unless the 'idmap config' DOMAIN range isn't
something like '1000-7000'.
>
> The strange thing is that it only occurs to some users - most don't
> have that issue at all. I've tried adding different types of users to
> different groups, couldn't really find any pattern. Many times the
> domain-joined server gives a more accurate output of *id* *user *than
> the DC - a user might be in a group, but the DC won't show it, while a
> server joined to the DC actually will.
Probably because the user is logged in.
>
> Here is my smb.conf:
Just a few comments ;-)
server role check:inhibit = yes
Why ? the only reason could be if you are trying to run the 'nmbd'
daemon and you must not that on a DC.
dsdb:schema update allowed = yes
Again, why? do you update your schema on a regular basis ??
winbind enum users = yes
winbind enum groups = yes
All those do is potentially slow things down.
map to guest = Bad User
On a DC, the authentication centre ?
Rowland
More information about the samba
mailing list