[Samba] Users loose supplementary groups after a time

Orion Poplawski orion at nwra.com
Thu May 14 20:59:34 UTC 2020

Sorry, I thought I had re-enabled delivery, but I had not.  So trying to reply
to Rowland Penny here:

> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>> All -
>>    I seem to be suffering from the common complaint that users loose
>> supplementary group access after a while - in our case it seems to be
>> connections left overnight.  Restarting smb fixes it.  I haven't been able to
>> determine the cause.
>> though I think that is to be expected at this point as we are not using
>> winbind idmapping to map AD users, but rather we have an IPA - AD trust and so
>> have local unix users already.
> Yes, but is winbind running ?>> Server is Scientific Linux release 7.8
>> samba-4.10.4-10.el7.x86_64
>>          workgroup = DOMAIN
>>          security = ads
>>          realm = AD.DOMAIN
>> # Workaround unix group issue (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>          username map script = /bin/echo
>> Is the above now causing more issues?
> I think it is what isn't there that is the problem
>> Recent changes that I can think of are then 7.8 update and configuring AD
>> sites.  Though I think this problem has likely been occurring for a long time
>> - but for some reason we are seeing more connections left overnight.
> You do not say what you upgraded from, but 7.8 will now mean you have a 
> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run winbind if 
> you have 'security = ADS' in smb.conf. This also means you need the 
> 'idmap config' lines as well, which means you cannot have the same users 
> in /etc/passwd.

I upgraded from 7.7.  And yes since we've had samba >= 4.8.0 for a while now
we've been running winbind.

This configuration (dropping the username map script hack) seems to be working
for us, does this seem correct?

        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999
        idmap config DOMAIN : backend = nss
        idmap config DOMAIN : range = 1000-999999
        winbind scan trusted domains = no

Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

More information about the samba mailing list