[Samba] Domain admins group missing from domain member
Carlos Jesus
camjesus2 at gmail.com
Sun Dec 13 02:09:19 UTC 2020
Hi all,
I'm having a strange issue with one of my samba domains that I hope you can
help with.
Simply put, getent group|grep "domain admins" returns (as expected) domain
admins:x:3000061:on both my DC's , but comes out empty on both linux domain
members.
Can't really say when this started to happen, but, appart from some apt
update&&upgrade, I've made no major changes to the system lately.
As a consequence chown root:"domain admins" somefile gives chown: invalid
group: on the domain members, but works perfectly on the DCS. As far as I
can tell, ACL's that involve Domain Admins work perfectly (see point 3
below).
All machines are running a self compiled samba 4.10 on debian buster.
What I've done:
1) tested with other groups. All work perfectly
2) Checked
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member in
particular, the "winbind conectivity section". wbinfo --ping-dc works as
expected
2a) Also checked https://wiki.samba.org/index.php/Libnss_winbind_Links
3) wbinfo -g shows domain admins on all machines
4) net ads leave / net ads join did not solve
5) samba-tool dbcheck --cross-ncs
I'm out of ideas and any help is, as usual, very much appreciated.
Best regards,
Carlos
My nsswitch:
passwd: compat winbind systemd
group: compat winbind systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
smb.conf:
1) for DCs
[global]
realm = SAMDOM.LOCAL
workgroup = SAMDOM
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log level = 1 auth_json_audit:2@/var/log/samba/auth.log sam:2@
/var/log/samba/sam.log
log file = /var/log/samba/samba.log
server services = -dns
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%U
server min protocol = SMB2
#Disable printing share
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
2) For DMs[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.LOCAL
interfaces = lo br0
bind interfaces only = yes
log file = /var/log/samba/%U.log
log level = 1
username map = /usr/local/samba/etc/user.map
local master = no
time server = no
wins support = no
idmap config SAMDOM : backend = ad
idmap config SAMDOM : range = 10000-999999
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : unix_nss_info = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%U
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = Yes
#only for ext4. remove for other FS's
strict allocate = yes
#For Netdata monitoring
smbd profiling level 1
min receivefile size = 16384
use sendfile = yes
server min protocol = SMB2
write cache size = 65536
#For 4 minutes to release lock (Outlook remember?)
socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15
load printers = no
printcap name = /dev/null
#As per thread on mailing list
inherit acls = yes
inherit owner = yes
inherit permissions = yes
[SHARES]...
More information about the samba
mailing list