[Samba] Group membership not updating on one DC only

Matthias Kühne | Ellerhold AG matthias.kuehne at ellerhold.de
Wed Feb 24 09:13:02 UTC 2021 

Hello,

it seems like the group memberships isnt updating anymore for a certain 
user in a specific DC. Were using Debian Buster with samba 
4.13.4+dfsg-0.1buster2 .

We have (atm) 3 DCs in their own AD-Sites: the first DC is in the 
default site ("Default-First-Site-Name"), the second DC and third are in 
their own sites. Each of them should be responsible for their IP ranges.

Ive just changed the group membership of an user via MS ADUC (connected 
to DC-2). It didnt replicate to DC-1...: 'net cache flush && groups 
DOMAIN\\user.name' shows all groups on DC2 and DC3, but on DC1 2 groups 
are missing.

Steps I tried without any changes:

  * Waiting until the next morning (~ 12 hours)
  * Restarting all DCs one at a time
  * net cache flush (with or without restarting samba-ad-dc)
  * Moved all DCs to the default AD-Site
  * samba-tool dbcheck --cross-ncs --fix --yes on all 3 DCs
  * samba-tool drs replicate --full-sync --sync-forced DC1 DC2 DC=...
  * Transferring all FSMO from DC1 to DC2, demoting DC1, apt remove
    --purge samba on DC1 and a complete reinstall with rejoinen

Even after all of this: the groups of user.name are still the old 
values! DC2 and DC3 show the new membership info.

Some more things I've tried:

  * wbinfo -g shows all Groups correctly
  * getent group shows all groups correctly (if winbind enum groups is
    set to Yes)
  * samba-tool drs uptodateness shows all zeros (and 5 different
    "Unknown invocation ID XYZ" error messages spammed about)
  * samba-tool visualize uptodateness -r show all green zeros (same
    error message as above)
  * samba-tool drs kcc is successfull on all 3 DCs
  * samba-tool drs showrepl
      o Shows 0 consecutive failures
      o But all outbound connections on DC1 also show "Last attempt @
        NTTIME(0) was successful" ... this means that no sync has been
        done - right?
      o Inbound connections on DC properly show an up2date time+date
  * samba-tool ldapcmp ldap://DC2 ldap://DC1
      o Result for [DOMAIN]: SUCCESS (all other partitions are a success
        too)
      o But in [DOMAIN] 7 users are shown as:
          + LdbError for dn CN=MEIN TESSTNAME,...: (32, 'LDAP error 32
            LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving
            instanceType for base. at
            ../../source4/dsdb/samdb/ldb_modules/acl_read.c:939> <>')
          + The user is named "Mein Teßtname" in ADUC...
          + Is this a problem?
          + The user with the missing groups has no ß in his name though...

Does anybody have an idea whats wrong here? What do I need to do to 
debug it further?

Thanks in advance!

-- 
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold




 
----------------
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

More information about the samba mailing list