[Samba] Users loose supplementary groups after a time

Orion Poplawski orion at nwra.com
Fri May 15 18:10:22 UTC 2020 

On 5/15/20 12:56 AM, Rowland penny via samba wrote:
> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>> Sorry, I thought I had re-enabled delivery, but I had not.  So trying to reply
>> to Rowland Penny here:
>>
>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>> All -
>>>>
>>>>     I seem to be suffering from the common complaint that users loose
>>>> supplementary group access after a while - in our case it seems to be
>>>> connections left overnight.  Restarting smb fixes it.  I haven't been able to
>>>> determine the cause.
>>>>
>>>>
>>>> though I think that is to be expected at this point as we are not using
>>>> winbind idmapping to map AD users, but rather we have an IPA - AD trust
>>>> and so
>>>> have local unix users already.
>>> Yes, but is winbind running ?>> Server is Scientific Linux release 7.8
>>>> samba-4.10.4-10.el7.x86_64
>>>>
>>>>           workgroup = DOMAIN
>>>>           security = ads
>>>>           realm = AD.DOMAIN
>>>> # Workaround unix group issue
>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>>           username map script = /bin/echo
>>>>
>>>> Is the above now causing more issues?
>>> I think it is what isn't there that is the problem
>>>> Recent changes that I can think of are then 7.8 update and configuring AD
>>>> sites.  Though I think this problem has likely been occurring for a long time
>>>> - but for some reason we are seeing more connections left overnight.
>>> You do not say what you upgraded from, but 7.8 will now mean you have a
>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run winbind if
>>> you have 'security = ADS' in smb.conf. This also means you need the
>>> 'idmap config' lines as well, which means you cannot have the same users
>>> in /etc/passwd.
>> I upgraded from 7.7.  And yes since we've had samba >= 4.8.0 for a while now
>> we've been running winbind.
>>
>> This configuration (dropping the username map script hack) seems to be working
>> for us, does this seem correct?
>>
>>          idmap config * : backend = tdb
>>          idmap config * : range = 1000000-1999999
>>          idmap config DOMAIN : backend = nss
>>          idmap config DOMAIN : range = 1000-999999
>>          winbind scan trusted domains = no
> 
> Yes, that should work for your setup. It will map your local users to IPA users.

Unfortunately I still seem to be seeing different behavior for different
users.  Some users are being assigned to local unix groups that they belong
to, others are only given the groups for which their AD groups have matching
local unix equivalents.  After clearing out the samba/winbind caches on a test
server - it appears that the latter behavior is likely the expected one.  Is
this correct?

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

More information about the samba mailing list