[Samba] Users loose supplementary groups after a time

Rowland penny rpenny at samba.org
Fri May 15 06:56:38 UTC 2020 

On 14/05/2020 21:59, Orion Poplawski via samba wrote:
> Sorry, I thought I had re-enabled delivery, but I had not.  So trying to reply
> to Rowland Penny here:
>
>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>> All -
>>>
>>>     I seem to be suffering from the common complaint that users loose
>>> supplementary group access after a while - in our case it seems to be
>>> connections left overnight.  Restarting smb fixes it.  I haven't been able to
>>> determine the cause.
>>>
>>>
>>> though I think that is to be expected at this point as we are not using
>>> winbind idmapping to map AD users, but rather we have an IPA - AD trust and so
>>> have local unix users already.
>> Yes, but is winbind running ?>> Server is Scientific Linux release 7.8
>>> samba-4.10.4-10.el7.x86_64
>>>
>>>           workgroup = DOMAIN
>>>           security = ads
>>>           realm = AD.DOMAIN
>>> # Workaround unix group issue (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>           username map script = /bin/echo
>>>
>>> Is the above now causing more issues?
>> I think it is what isn't there that is the problem
>>> Recent changes that I can think of are then 7.8 update and configuring AD
>>> sites.  Though I think this problem has likely been occurring for a long time
>>> - but for some reason we are seeing more connections left overnight.
>> You do not say what you upgraded from, but 7.8 will now mean you have a
>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run winbind if
>> you have 'security = ADS' in smb.conf. This also means you need the
>> 'idmap config' lines as well, which means you cannot have the same users
>> in /etc/passwd.
> I upgraded from 7.7.  And yes since we've had samba >= 4.8.0 for a while now
> we've been running winbind.
>
> This configuration (dropping the username map script hack) seems to be working
> for us, does this seem correct?
>
>          idmap config * : backend = tdb
>          idmap config * : range = 1000000-1999999
>          idmap config DOMAIN : backend = nss
>          idmap config DOMAIN : range = 1000-999999
>          winbind scan trusted domains = no

Yes, that should work for your setup. It will map your local users to 
IPA users.

It isn't the way that I would do it though ;-)

 From what you have posted, you are mapping local users to IPA users and 
the IPA is in a trust with AD, I would just ignore IPA and join the 
computer to AD and get your users and groups directly. If you have AD, 
why not leverage it and have all users & groups stored in AD ?

Rowland

More information about the samba mailing list