[Samba] Group issues on AD DC, membership does not work on some users
oleg.blyahher at bluetest.se
Wed Apr 22 10:48:13 UTC 2020
Thank you so much for the prompt response and the valuable comments.
We are using a pretty much unmodified Zentyal installation, which in its
own turn sets everything up for a Samba DC. It might be a good idea for
us to move away from that, if Zentyal uses an EOL-version of Samba..
You were absolutely right about the sign-in part! Almost all of us work
from home in these special days, so there are hardly any sign-ons to the
DC itself. People take their computers home and use cached credentials.
Your questions regarding the smb.conf are really good. Unfortunately, I
have no clue why Zentyal thought that would be a good idea :) I will
comment out the lines you've mentioned and see what happens :D
Thank you once again.
On 2020-04-22 12:29, Rowland penny via samba wrote:
> On 22/04/2020 10:51, Oleg Blyahher via samba wrote:
>> Hi everyone,
>> I'm running Samba 4.7.6 on Ubuntu 18.04.
> Might be an idea to upgrade Samba, 4.7.x is EOL as far as Samba is
> concerned, you can get later Samba versions here:
>> I have an issue with adding users to groups with samba-tool, not
>> really sure where to look for more info. samba -i didn't show
>> anything at all.
>> This is what I do:
>> *samba-tool group add new-group**
>> **samba-tool group addmembers new-group my-user*
>> if I run *id my-user *or *groups my-user*, then the group *new-group
>> *does not appear there. It does, however, appear if I check in LDAP
>> (samba-tool user edit my-user).
> Sounds like the affected user isn't logged in, you can only be sure of
> getting a correct list of a users groups if the user is logged in.
>> This becomes a problem when I set ACLs in a domain-joined file share
>> server - users who are members of certain groups cannot access files
>> and folders belonging to the groups they are a part of.
> If the 'domain-joined file share server' is a Unix computer, then
> possibly 'samba-tool group add new-group' isn't sufficient, the group
> will not have a gidNumber attribute and if the 'idmap config' DOMAIN
> backend is 'ad', then the group will be ignored.
>> I can also add that this server used to be a a non-DC Samba server,
>> and that the GIDs go first between 1000-1027 (the oldest ones) and
>> then between 5888-6012.
> This shouldn't be a problem unless the 'idmap config' DOMAIN range
> isn't something like '1000-7000'.
>> The strange thing is that it only occurs to some users - most don't
>> have that issue at all. I've tried adding different types of users to
>> different groups, couldn't really find any pattern. Many times the
>> domain-joined server gives a more accurate output of *id* *user *than
>> the DC - a user might be in a group, but the DC won't show it, while
>> a server joined to the DC actually will.
> Probably because the user is logged in.
>> Here is my smb.conf:
> Just a few comments ;-)
> server role check:inhibit = yes
> Why ? the only reason could be if you are trying to run the 'nmbd'
> daemon and you must not that on a DC.
> dsdb:schema update allowed = yes
> Again, why? do you update your schema on a regular basis ??
> winbind enum users = yes
> winbind enum groups = yes
> All those do is potentially slow things down.
> map to guest = Bad User
> On a DC, the authentication centre ?
More information about the samba