[Samba] Group membership not updating on one DC only

Matthias Kühne | Ellerhold AG matthias.kuehne at ellerhold.de
Wed Feb 24 09:36:48 UTC 2021


I just asked the user to ssh into DC1. And lo and behold after that he 
has the correct groups.

I let him connect to a fileserver via SMB and it updated the groups 
correctly too. Yay

So it seems like the cache (on a Domain Member and on a DC) only gets 
updated if the user connects to it. net cache flush doesnt seem to do 
anything here. Winbind Offline Logon is enabled. Is this the / a problem?

Is there any command I could run to update the groups without asking the 
user to login to the machine?

Am 24.02.21 um 10:13 schrieb Matthias Kühne | Ellerhold AG via samba:
> Hello,
> it seems like the group memberships isnt updating anymore for a certain
> user in a specific DC. Were using Debian Buster with samba
> 4.13.4+dfsg-0.1buster2 .
> We have (atm) 3 DCs in their own AD-Sites: the first DC is in the
> default site ("Default-First-Site-Name"), the second DC and third are in
> their own sites. Each of them should be responsible for their IP ranges.
> Ive just changed the group membership of an user via MS ADUC (connected
> to DC-2). It didnt replicate to DC-1...: 'net cache flush && groups
> DOMAIN\\user.name' shows all groups on DC2 and DC3, but on DC1 2 groups
> are missing.
> Steps I tried without any changes:
>    * Waiting until the next morning (~ 12 hours)
>    * Restarting all DCs one at a time
>    * net cache flush (with or without restarting samba-ad-dc)
>    * Moved all DCs to the default AD-Site
>    * samba-tool dbcheck --cross-ncs --fix --yes on all 3 DCs
>    * samba-tool drs replicate --full-sync --sync-forced DC1 DC2 DC=...
>    * Transferring all FSMO from DC1 to DC2, demoting DC1, apt remove
>      --purge samba on DC1 and a complete reinstall with rejoinen
> Even after all of this: the groups of user.name are still the old
> values! DC2 and DC3 show the new membership info.
> Some more things I've tried:
>    * wbinfo -g shows all Groups correctly
>    * getent group shows all groups correctly (if winbind enum groups is
>      set to Yes)
>    * samba-tool drs uptodateness shows all zeros (and 5 different
>      "Unknown invocation ID XYZ" error messages spammed about)
>    * samba-tool visualize uptodateness -r show all green zeros (same
>      error message as above)
>    * samba-tool drs kcc is successfull on all 3 DCs
>    * samba-tool drs showrepl
>        o Shows 0 consecutive failures
>        o But all outbound connections on DC1 also show "Last attempt @
>          NTTIME(0) was successful" ... this means that no sync has been
>          done - right?
>        o Inbound connections on DC properly show an up2date time+date
>    * samba-tool ldapcmp ldap://DC2 ldap://DC1
>        o Result for [DOMAIN]: SUCCESS (all other partitions are a success
>          too)
>        o But in [DOMAIN] 7 users are shown as:
>            + LdbError for dn CN=MEIN TESSTNAME,...: (32, 'LDAP error 32
>              LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving
>              instanceType for base. at
>              ../../source4/dsdb/samdb/ldb_modules/acl_read.c:939> <>')
>            + The user is named "Mein Teßtname" in ADUC...
>            + Is this a problem?
>            + The user with the missing groups has no ß in his name though...
> Does anybody have an idea whats wrong here? What do I need to do to
> debug it further?
> Thanks in advance!
Matthias Kühne
Senior Webentwickler

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold

Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

More information about the samba mailing list