[Samba] Users loose supplementary groups after a time

Rowland penny rpenny at samba.org
Fri May 15 14:22:42 UTC 2020

On 15/05/2020 14:56, Orion Poplawski wrote:
> On 5/15/20 12:56 AM, Rowland penny via samba wrote:
>> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>>> Sorry, I thought I had re-enabled delivery, but I had not.  So 
>>> trying to reply
>>> to Rowland Penny here:
>>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>>> All -
>>>>>     I seem to be suffering from the common complaint that users loose
>>>>> supplementary group access after a while - in our case it seems to be
>>>>> connections left overnight.  Restarting smb fixes it.  I haven't 
>>>>> been able to
>>>>> determine the cause.
>>>>> though I think that is to be expected at this point as we are not 
>>>>> using
>>>>> winbind idmapping to map AD users, but rather we have an IPA - AD 
>>>>> trust and so
>>>>> have local unix users already.
>>>> Yes, but is winbind running ?>> Server is Scientific Linux release 7.8
>>>>> samba-4.10.4-10.el7.x86_64
>>>>>           workgroup = DOMAIN
>>>>>           security = ads
>>>>>           realm = AD.DOMAIN
>>>>> # Workaround unix group issue 
>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>>>           username map script = /bin/echo
>>>>> Is the above now causing more issues?
>>>> I think it is what isn't there that is the problem
>>>>> Recent changes that I can think of are then 7.8 update and 
>>>>> configuring AD
>>>>> sites.  Though I think this problem has likely been occurring for 
>>>>> a long time
>>>>> - but for some reason we are seeing more connections left overnight.
>>>> You do not say what you upgraded from, but 7.8 will now mean you 
>>>> have a
>>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run winbind if
>>>> you have 'security = ADS' in smb.conf. This also means you need the
>>>> 'idmap config' lines as well, which means you cannot have the same 
>>>> users
>>>> in /etc/passwd.
>>> I upgraded from 7.7.  And yes since we've had samba >= 4.8.0 for a 
>>> while now
>>> we've been running winbind.
>>> This configuration (dropping the username map script hack) seems to 
>>> be working
>>> for us, does this seem correct?
>>>          idmap config * : backend = tdb
>>>          idmap config * : range = 1000000-1999999
>>>          idmap config DOMAIN : backend = nss
>>>          idmap config DOMAIN : range = 1000-999999
>>>          winbind scan trusted domains = no
>> Yes, that should work for your setup. It will map your local users to 
>> IPA users.
> Thanks for the response.
>> It isn't the way that I would do it though ;-)
>>  From what you have posted, you are mapping local users to IPA users 
>> and the IPA is in a trust with AD, I would just ignore IPA and join 
>> the computer to AD and get your users and groups directly. If you 
>> have AD, why not leverage it and have all users & groups stored in AD ?
> We do have all of our users and groups stored in AD :).  But we also 
> have lots of Linux systems that are best managed via IPA.  I suppose 
> we could have some that are just joined to AD, but I suspect that this 
> would create its own headaches and inconsistencies.

Do you have any Samba shares ? From Samba 4.8.0 you cannot use sssd (not 
that I am saying you are using sssd).

I am struggling to understand just what IPA gives you, except for 
authentication and you can do this with Samba directly from AD.

The whole idea behind AD is to get centralised authentication (which 
from my understanding is what IPA does), so why have two authentication 
centres ?


More information about the samba mailing list