[Samba] Users loose supplementary groups after a time

Orion Poplawski orion at nwra.com
Fri May 15 13:56:08 UTC 2020

On 5/15/20 12:56 AM, Rowland penny via samba wrote:
> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>> Sorry, I thought I had re-enabled delivery, but I had not.  So trying 
>> to reply
>> to Rowland Penny here:
>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>> All -
>>>>     I seem to be suffering from the common complaint that users loose
>>>> supplementary group access after a while - in our case it seems to be
>>>> connections left overnight.  Restarting smb fixes it.  I haven't 
>>>> been able to
>>>> determine the cause.
>>>> though I think that is to be expected at this point as we are not using
>>>> winbind idmapping to map AD users, but rather we have an IPA - AD 
>>>> trust and so
>>>> have local unix users already.
>>> Yes, but is winbind running ?>> Server is Scientific Linux release 7.8
>>>> samba-4.10.4-10.el7.x86_64
>>>>           workgroup = DOMAIN
>>>>           security = ads
>>>>           realm = AD.DOMAIN
>>>> # Workaround unix group issue 
>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>>           username map script = /bin/echo
>>>> Is the above now causing more issues?
>>> I think it is what isn't there that is the problem
>>>> Recent changes that I can think of are then 7.8 update and 
>>>> configuring AD
>>>> sites.  Though I think this problem has likely been occurring for a 
>>>> long time
>>>> - but for some reason we are seeing more connections left overnight.
>>> You do not say what you upgraded from, but 7.8 will now mean you have a
>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run winbind if
>>> you have 'security = ADS' in smb.conf. This also means you need the
>>> 'idmap config' lines as well, which means you cannot have the same users
>>> in /etc/passwd.
>> I upgraded from 7.7.  And yes since we've had samba >= 4.8.0 for a 
>> while now
>> we've been running winbind.
>> This configuration (dropping the username map script hack) seems to be 
>> working
>> for us, does this seem correct?
>>          idmap config * : backend = tdb
>>          idmap config * : range = 1000000-1999999
>>          idmap config DOMAIN : backend = nss
>>          idmap config DOMAIN : range = 1000-999999
>>          winbind scan trusted domains = no
> Yes, that should work for your setup. It will map your local users to 
> IPA users.

Thanks for the response.

> It isn't the way that I would do it though ;-)
>  From what you have posted, you are mapping local users to IPA users and 
> the IPA is in a trust with AD, I would just ignore IPA and join the 
> computer to AD and get your users and groups directly. If you have AD, 
> why not leverage it and have all users & groups stored in AD ?

We do have all of our users and groups stored in AD :).  But we also 
have lots of Linux systems that are best managed via IPA.  I suppose we 
could have some that are just joined to AD, but I suspect that this 
would create its own headaches and inconsistencies.

Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

More information about the samba mailing list