[Samba] Domain admins group missing from domain member

Carlos Jesus camjesus2 at gmail.com
Sun Dec 13 02:09:19 UTC 2020

Hi all,
I'm having a strange issue with one of my samba domains that I hope you can
help with.
Simply put, getent group|grep "domain admins" returns (as expected) domain
admins:x:3000061:on both my DC's , but comes out empty on both linux domain
Can't really say when this started to happen, but, appart from some apt
update&&upgrade, I've made no major changes to the system lately.
As a consequence chown root:"domain admins" somefile gives chown: invalid
group:  on the domain members, but works perfectly on the DCS. As far as I
can tell, ACL's that involve Domain Admins work perfectly (see point 3
All machines are running a self compiled samba 4.10 on debian buster.

What I've done:
1) tested with other groups. All work perfectly
2) Checked
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member in
particular, the "winbind conectivity section". wbinfo --ping-dc works as
2a) Also checked https://wiki.samba.org/index.php/Libnss_winbind_Links
3) wbinfo -g shows domain admins on all machines
4) net ads leave / net ads join did not solve
5) samba-tool dbcheck --cross-ncs

I'm out of ideas and any help is, as usual, very much appreciated.

Best regards,

My nsswitch:
passwd:         compat winbind systemd
group:          compat winbind systemd
shadow:         compat
gshadow:        files
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

1) for DCs
        realm = SAMDOM.LOCAL
        workgroup = SAMDOM
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log level = 1 auth_json_audit:2@/var/log/samba/auth.log sam:2@
        log file = /var/log/samba/samba.log
        server services = -dns

       winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /home/%U
        server min protocol = SMB2
#Disable printing share
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

2) For DMs[global]
        security = ADS
        workgroup = SAMDOM
        realm = SAMDOM.LOCAL
        interfaces = lo br0
        bind interfaces only = yes
        log file = /var/log/samba/%U.log
        log level = 1
        username map = /usr/local/samba/etc/user.map
        local master = no
        time server = no
        wins support = no

        idmap config SAMDOM : backend = ad
        idmap config SAMDOM : range = 10000-999999
        idmap config SAMDOM : schema_mode = rfc2307
        idmap config SAMDOM : unix_nss_info = yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /home/%U

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        winbind refresh tickets = Yes

#only for ext4. remove for other FS's
        strict allocate = yes

#For Netdata monitoring
        smbd profiling level 1

        min receivefile size = 16384
        use sendfile = yes
        server min protocol = SMB2
        write cache size = 65536
#For 4 minutes to release lock (Outlook remember?)

        load printers = no
        printcap name = /dev/null
#As per thread on mailing list
inherit acls = yes
inherit owner = yes
inherit permissions = yes


More information about the samba mailing list