[Samba] Group issues on AD DC, membership does not work on some users

Rowland penny rpenny at samba.org
Wed Apr 22 10:29:16 UTC 2020 

On 22/04/2020 10:51, Oleg Blyahher via samba wrote:
> Hi everyone,
>
> I'm running Samba 4.7.6 on Ubuntu 18.04.

Might be an idea to upgrade Samba, 4.7.x is EOL as far as Samba is 
concerned, you can get later Samba versions here:

http://apt.van-belle.nl/

>
> I have an issue with adding users to groups with samba-tool, not 
> really sure where to look for more info. samba -i didn't show anything 
> at all.
>
> This is what I do:
>
> *samba-tool group add new-group**
> **samba-tool group addmembers new-group my-user*
>
> if I run *id my-user *or *groups my-user*, then the group *new-group 
> *does not appear there. It does, however, appear if I check in LDAP 
> (samba-tool user edit my-user).
Sounds like the affected user isn't logged in, you can only be sure of 
getting a correct list of a users groups if the user is logged in.
>
> This becomes a problem when I set ACLs in a domain-joined file share 
> server - users who are members of certain groups cannot access files 
> and folders belonging to the groups they are a part of.
If the 'domain-joined file share server' is a Unix computer, then 
possibly 'samba-tool group add new-group' isn't sufficient, the group 
will not have a gidNumber attribute and if the 'idmap config' DOMAIN 
backend is 'ad', then the group will be ignored.
>
> I can also add that this server used to be a a non-DC Samba server, 
> and that the GIDs go first between 1000-1027 (the oldest ones) and 
> then between 5888-6012.
This shouldn't be a problem unless the 'idmap config' DOMAIN range isn't 
something like '1000-7000'.
>
> The strange thing is that it only occurs to some users - most don't 
> have that issue at all. I've tried adding different types of users to 
> different groups, couldn't really find any pattern. Many times the 
> domain-joined server gives a more accurate output of *id* *user *than 
> the DC - a user might be in a group, but the DC won't show it, while a 
> server joined to the DC actually will.
Probably because the user is logged in.
>
> Here is my smb.conf:

Just a few comments ;-)

server role check:inhibit = yes

Why ? the only reason could be if you are trying to run the 'nmbd' 
daemon and you must not that on a DC.

dsdb:schema update allowed = yes

Again, why? do you update your schema on a regular basis ??

  winbind enum users = yes
  winbind enum groups = yes

All those do is potentially slow things down.

map to guest = Bad User

On a DC, the authentication centre ?

Rowland

More information about the samba mailing list