[Samba] Group issues on AD DC, membership does not work on some users

Oleg Blyahher oleg.blyahher at bluetest.se
Wed Apr 22 10:48:13 UTC 2020

Thank you so much for the prompt response and the valuable comments.

We are using a pretty much unmodified Zentyal installation, which in its 
own turn sets everything up for a Samba DC. It might be a good idea for 
us to move away from that, if Zentyal uses an EOL-version of Samba..

You were absolutely right about the sign-in part! Almost all of us work 
from home in these special days, so there are hardly any sign-ons to the 
DC itself. People take their computers home and use cached credentials.

Your questions regarding the smb.conf are really good. Unfortunately, I 
have no clue why Zentyal thought that would be a good idea :) I will 
comment out the lines you've mentioned and see what happens :D

Thank you once again.


On 2020-04-22 12:29, Rowland penny via samba wrote:
> On 22/04/2020 10:51, Oleg Blyahher via samba wrote:
>> Hi everyone,
>> I'm running Samba 4.7.6 on Ubuntu 18.04.
> Might be an idea to upgrade Samba, 4.7.x is EOL as far as Samba is 
> concerned, you can get later Samba versions here:
> http://apt.van-belle.nl/
>> I have an issue with adding users to groups with samba-tool, not 
>> really sure where to look for more info. samba -i didn't show 
>> anything at all.
>> This is what I do:
>> *samba-tool group add new-group**
>> **samba-tool group addmembers new-group my-user*
>> if I run *id my-user *or *groups my-user*, then the group *new-group 
>> *does not appear there. It does, however, appear if I check in LDAP 
>> (samba-tool user edit my-user).
> Sounds like the affected user isn't logged in, you can only be sure of 
> getting a correct list of a users groups if the user is logged in.
>> This becomes a problem when I set ACLs in a domain-joined file share 
>> server - users who are members of certain groups cannot access files 
>> and folders belonging to the groups they are a part of.
> If the 'domain-joined file share server' is a Unix computer, then 
> possibly 'samba-tool group add new-group' isn't sufficient, the group 
> will not have a gidNumber attribute and if the 'idmap config' DOMAIN 
> backend is 'ad', then the group will be ignored.
>> I can also add that this server used to be a a non-DC Samba server, 
>> and that the GIDs go first between 1000-1027 (the oldest ones) and 
>> then between 5888-6012.
> This shouldn't be a problem unless the 'idmap config' DOMAIN range 
> isn't something like '1000-7000'.
>> The strange thing is that it only occurs to some users - most don't 
>> have that issue at all. I've tried adding different types of users to 
>> different groups, couldn't really find any pattern. Many times the 
>> domain-joined server gives a more accurate output of *id* *user *than 
>> the DC - a user might be in a group, but the DC won't show it, while 
>> a server joined to the DC actually will.
> Probably because the user is logged in.
>> Here is my smb.conf:
> Just a few comments ;-)
> server role check:inhibit = yes
> Why ? the only reason could be if you are trying to run the 'nmbd' 
> daemon and you must not that on a DC.
> dsdb:schema update allowed = yes
> Again, why? do you update your schema on a regular basis ??
>  winbind enum users = yes
>  winbind enum groups = yes
> All those do is potentially slow things down.
> map to guest = Bad User
> On a DC, the authentication centre ?
> Rowland

More information about the samba mailing list