[Samba] groups command not listing supplementary groups

Paul Griffith paulg at yorku.ca
Mon Jan 12 14:46:06 UTC 2026 

Hello Samba Team,

We are experiencing a rather unusual issue with Samba.

On some of our systems, the 'groups' command is not retrieving the correct supplementary group membership and is causing various permissions-based issues.

For example:

% groups webapp
webapp : webappg domain users

Note that it shows webapp is only a part of webappg and "domain users".

What it should be showing (and shows on other machines):

% groups webapp
webapp : webappg domain users faculty hc_server submit hc_prism hc_public privkey

Reboot the server, or even restarting winbind will cause the correct group membership to come back.

This problem first occurred after we upgraded from Samba 4.21.6 to 4.22.7  (on the Linux AD clients and the AD server).  As a test, we reverted the problematic host to 4.21.10 to see if the issue would stop, and it did. Something has changed with 4.22.7. It is odd in the sense that it appears to be intermittent.

On another system:
% groups radman
radman : grad domain users

And while I was exploring to find out why this was, the group membership came back:

% groups radman
radman : grad domain users guac_res guac_edu hc_ispm guac_ea hc_dslab hc_mmlab hc_prism hc_public hc_nslab hc_senior hc_research vboxusers tsmc130nm cmosp18 mixsigkit guac_intelect guac_icsl hc_icsl


Here are our config files, that have not changed.



On the host in question (Linux AD client):
------
egrep -i '^passwd|^group' /etc/nsswitch.conf
passwd:      files winbind systemd
group:       files winbind systemd


/etc/krb5.conf:
[libdefaults]
default_realm = AD.HOST.HOST.CA
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
forwardable = true
renew_lifetime = 7d

[realms]
AD.HOST.HOST.CA = {
 kdc = xx.xx.xx.66
 kdc = xx.xx.xx.67
 master_kdc = xx.xx.xx.66
 auth_to_local = RULE:[1:$1@$0](^.*\$@AD.HOST.HOST.CA)s/.*/root/
 auth_to_local = DEFAULT
}

[domain_realm]
ad.host.host.ca = AD.HOST.HOST.CA
.ad.host.host.ca = AD.HOST.HOST.CAA
host.host.ca =
.host.host.ca = AD.HOST.HOST.CAA

/etc/samba/smb.conf
global]
workgroup = HOSTHOSTCA
security = ADS
realm = AD.HOST.HOST.CA
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use krb5 enterprise principals = no
winbind max clients = 600

idmap config * : backend = tdb
idmap config * : range = 1000000-1999999

# idmap config for the HOSTHOSTCA domain
# range should match UNIX ID in AD

idmap config HOSTHOSTCA : backend = ad
idmap config HOSTHOSTCA : schema_mode = rfc2307
idmap config HOSTHOSTCA : range = 1000-999999
idmap config HOSTHOSTCA : unix_primary_group = yes
idmap config HOSTHOSTCA : unix_nss_info = yes

# Renew the kerberos tickets
winbind refresh tickets = yes

# Enable offline logins
winbind offline logon = yes

# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307

# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes

# Keep no in production, set yes when debugging, this slows down your samba.
winbind enum users  = no
winbind enum groups = no

# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U

#log files
debug timestamp = yes
debug uid = yes
debug pid = yes
debug level = 1
max log size = 0

# printing (none)
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# security
username map = /xconf/samba/usermap
guest account = nobody
----

Background info:
All systems are running Samba compiled from source, running on Rocky Linux release 8.10.

Samba 4.22.7 build info:
smbd -b

Paths:
  SBINDIR: /xsys/pkg/samba-4.22.7/sbin
  BINDIR: /xsys/pkg/samba-4.22.7/bin
  CONFIGFILE: /etc/samba/smb.conf
  LOGFILEBASE: /local/log
  LMHOSTSFILE: /etc/samba/lmhosts
  LIBDIR: /xsys/pkg/samba-4.22.7/lib
  DATADIR: /xsys/pkg/samba-4.22.7/share
  SAMBA_DATADIR: /xsys/pkg/samba-4.22.7/share/samba
  MODULESDIR: /xsys/pkg/samba-4.22.7/lib
  SHLIBEXT: so
  LOCKDIR: /local/samba/lock
  STATEDIR: /local/samba/locks
  CACHEDIR: /local/samba/cache
  PIDDIR: /run
  SMB_PASSWD_FILE: /local/samba/private/smbpasswd
  PRIVATE_DIR: /local/samba/private
  BINDDNS_DIR: /xsys/pkg/samba-4.22.7/bind-dns

Build Options:
  AD_DC_BUILD_IS_ENABLED
  ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
  BOOL_DEFINED
  BROKEN_NISPLUS_INCLUDE_FILES
  COMPILER_SUPPORTS_LL
  CONFIG_H_IS_FROM_SAMBA
  DEFAULT_DOS_CHARSET
  DEFAULT_UNIX_CHARSET
  ENABLE_GPGME
  GETCWD_TAKES_NULL
  INLINE_MACRO
  KRB5_CONST_PAC_GET_BUFFER
  KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT
  KRB5_PRINC_REALM_RETURNS_REALM
  LDAP_DEPRECATED
  LDAP_SET_REBIND_PROC_ARGS
  LIBREPLACE_NETWORK_CHECKS
  LINUX
  LINUX_SENDFILE_API
  REALPATH_TAKES_NULL
  RETSIGTYPE
  SAMBA4_USES_HEIMDAL
  SHLIBEXT
  SIZEOF_BLKCNT_T_8
  SIZEOF_BOOL
  SIZEOF_CHAR
  SIZEOF_DEV_T
  SIZEOF_INO_T
  SIZEOF_INT
  SIZEOF_INT16_T
  SIZEOF_INT32_T
  SIZEOF_INT64_T
  SIZEOF_INT8_T
  SIZEOF_KEY_SERIAL_T
  SIZEOF_LONG
  SIZEOF_LONG_LONG
  SIZEOF_OFF_T
  SIZEOF_SHORT
  SIZEOF_SIZE_T
  SIZEOF_SSIZE_T
  SIZEOF_TIME_T
  SIZEOF_UINT16_T
  SIZEOF_UINT32_T
  SIZEOF_UINT64_T
  SIZEOF_UINT8_T
  SIZEOF_VOID_P
  SRCDIR
  STAT_STATVFS
  STAT_ST_BLOCKSIZE
  STDC_HEADERS
  STRING_SHARED_MODULES
  STRING_STATIC_MODULES
  SUMMARY_PASSES
  SYSCONF_SC_NGROUPS_MAX
  SYSCONF_SC_NPROCESSORS_ONLN
  SYSCONF_SC_PAGESIZE
  SYSTEM_UNAME_MACHINE
  SYSTEM_UNAME_RELEASE
  SYSTEM_UNAME_SYSNAME
  SYSTEM_UNAME_VERSION
  TALLOC_BUILD_VERSION_MAJOR
  TALLOC_BUILD_VERSION_MINOR
  TALLOC_BUILD_VERSION_RELEASE
  TEVENT_NUM_SIGNALS
  TIME_T_MAX
  TIME_T_SIGNED
  TIME_WITH_SYS_TIME
  USE_TDB_MUTEX_LOCKING
  USING_EMBEDDED_HEIMDAL
  USING_SYSTEM_POPT
  VALUEOF_NSIG
  VALUEOF_SIGRTMAX
  VALUEOF_SIGRTMIN
  VALUEOF__NSIG
  VOID_RETSIGTYPE
  WINEXE_LDFLAGS
  WORKING_GETCONF_LFS_CFLAGS
  XSLTPROC_MANPAGES
  _GNU_SOURCE
  _HAVE_SENDFILE
  _POSIX_FALLOCATE_CAPABLE_LIBC
  _SAMBA_BUILD_
  _XOPEN_SOURCE_EXTENDED
  __TIME_T_MAX
  idmap_ad_init
  idmap_autorid_init
  idmap_hash_init
  idmap_rfc2307_init
  idmap_rid_init
  idmap_script_init
  idmap_tdb2_init
  offset_t
  static_decl_auth
  static_decl_charset
  static_decl_gpext
  static_decl_idmap
  static_decl_nss_info
  static_decl_pdb
  static_decl_vfs
  static_init_auth
  static_init_charset
  static_init_gpext
  static_init_idmap
  static_init_nss_info
  static_init_pdb
  static_init_vfs
  uint_t
  vfs_acl_tdb_init
  vfs_acl_xattr_init
  vfs_aio_fork_init
  vfs_aio_pthread_init
  vfs_audit_init
  vfs_btrfs_init
  vfs_cap_init
  vfs_catia_init
  vfs_commit_init
  vfs_crossrename_init
  vfs_default_quota_init
  vfs_dirsort_init
  vfs_expand_msdfs_init
  vfs_extd_audit_init
  vfs_fake_perms_init
  vfs_fileid_init
  vfs_fruit_init
  vfs_full_audit_init
  vfs_glusterfs_fuse_init
  vfs_gpfs_init
  vfs_linux_xfs_sgid_init
  vfs_media_harmony_init
  vfs_offline_init
  vfs_posix_eadb_init
  vfs_preopen_init
  vfs_readahead_init
  vfs_readonly_init
  vfs_recycle_init
  vfs_shadow_copy2_init
  vfs_shadow_copy_init
  vfs_shell_snap_init
  vfs_snapper_init
  vfs_streams_depot_init
  vfs_streams_xattr_init
  vfs_syncops_init
  vfs_time_audit_init
  vfs_unityed_media_init
  vfs_virusfilter_init
  vfs_widelinks_init
  vfs_worm_init
  vfs_xattr_tdb_init
----------

Any suggestions to help further troubleshoot and resolve this would be appreciated.

Thank you

Paul Griffith

More information about the samba mailing list