SMB Share's not showing all domain users/groups in permissions

[sgt_jamez]

Upgraded to 21.08 and trying to learn my way around.

If I create an SMB share and try to give a specific domain user permissions, not all domain users are listed:

Same with a group:

Issuing the command wbinfo -u shows all the domain users:

Same with wbinfo -g

Shares created before the update to 21.08 still work, but I can't give permissions to say the domain admins group. It is not specifically listed.

I don't know what to make of this. Thoughts?

 

[anodos]

Do they show in `getent user` output?

 

[sgt_jamez]

I think I don't know the right syntax for that command.

I tried it and got this:

So I tried a user:

I did a brief search and tried passwd:

And groups for good measure:

It seems fine here, so maybe this is a bug in the new code? Maybe I have something set wrong?

 

[anodos]

Yeah, it was just a mistake on my part. A few crossed wires because of dealing with these APIs. Do you see your directory services users if you run the command midclt call user.query '[]' '{"extra": {"search_dscache": true}}'

Let's try to narrow down whether it's a webui issue or backend issue.

 

[sgt_jamez]

Ok so I ran that command and got a massive return. I searched it for 'domain admin' and it is not there. Other groups are but the are the same as identified in my original post.

Searching the output for just 'domain', I get the following:
"TAZNET2\\enterprise read-only domain controllers"
"TAZNET2\\domain controllers"
"TAZNET2\\read-only domain controllers"

 

[anodos]

Ok so I ran that command and got a massive return. I searched it for 'domain admin' and it is not there. Other groups are but the are the same as identified in my original post.

Searching the output for just 'domain', I get the following:
"TAZNET2\\enterprise read-only domain controllers"
"TAZNET2\\domain controllers"
"TAZNET2\\read-only domain controllers"

Okay. Try rebuilding the directory services cache. There's a GUI button for that in the webui.

 

[sgt_jamez]

I rebuilt the directory services cache and ran the midclt call user.query '[]' '{"extra": {"search_dscache": true}}' command. It returned a very large output, but the domain admins group was not there.

I don't know how long the cache rebuild job takes, as there is no notification when it completes. As such, i waited about 10 mins and repeated the midclt command and searched for 'domain admins'. It was not found.

 

[anodos]

It's a group. Let's try some backend queries. `wbinfo` isn't a good guide for what users are actually available on the server (doesn't account for idmap settings, which may be invalid). Here are examples from my server:

Example - nuke persistent database to ensure we have empty group cache and verify it's empty

Code:

tn23# rm /root/tdb/persistent/activedirectory_group.tdb                                                                                
tn23# midclt call activedirectory.get_cache | jq .GROUPS
[]

Direct query for particular user should bypass the cache and hit nss_winbind:

Code:

tn23# midclt call group.query '[["name", "=", "HOMEDOM\\domain users"]]' '{"extra": {"search_dscache": true}}'                         
[{"id": 1453900513, "gid": 1453800513, "name": "HOMEDOM\\domain users", "group": "HOMEDOM\\domain users", "builtin": false, "sudo": false, "sudo_nopasswd": false, "sudo_commands": [], "users": [], "local": false, "id_type_both": true}]

and perform cache insertion:

Code:

tn23# midclt call activedirectory.get_cache | jq .GROUPS                                          
[
  {
    "id": 1453900513,
    "gid": 1453800513,
    "name": "HOMEDOM\\domain users",
    "group": "HOMEDOM\\domain users",
    "builtin": false,
    "sudo": false,
    "sudo_nopasswd": false,
    "sudo_commands": [],
    "users": [],
    "local": false,
    "id_type_both": true
  }
]

 

[sgt_jamez]

Code:
tn23# midclt call group.query '[["name", "=", "HOMEDOM\\domain users"]]' '{"extra": {"search_dscache": true}}'
[{"id": 1453900513, "gid": 1453800513, "name": "HOMEDOM\\domain users", "group": "HOMEDOM\\domain users", "builtin": false, "sudo

I tried to follow along but your commands are way beyond me. I'm assuming 'HOMEDOM' I would change to my AD domain name? I did that and the command output was:

I tried leaving it the same:

I thought maybe there's some goofy word wrap happening here so i tried connecting the command:

Yeah, I wasn't able to get this to work. What did I do wrong?

 

[sgt_jamez]

I know what I did wrong.

Nuke persistent database
krustynas# rm /root/tdb/persistent/activedirectory_group.tdb krustynas# midclt call activedirectory.get_cache | jq .GROUPS []

Direct query for particular user (I did this for both 'domain users' and 'domain admins')
krustynas# midclt call group.query '[["name", "=", "TAZNET2\\domain users"]]' '{"extra": {"search_dscache": true}}' [{"id": 100100514, "gid": 100000514, "name": "TAZNET2\\domain users", "group": "TAZNET2\\domain users", "builtin": false, "sudo": false, "sudo_nopasswd": false, "sudo_commands": [], "users": [], "local": false, "id_type_both": true}]


krustynas# midclt call activedirectory.get_cache | jq .GROUPS [ { "id": 100100513, "gid": 100000513, "name": "TAZNET2\\domain admins", "group": "TAZNET2\\domain admins", "builtin": false, "sudo": false, "sudo_nopasswd": false, "sudo_commands": [], "users": [], "local": false, "id_type_both": true }, { "id": 100100514, "gid": 100000514, "name": "TAZNET2\\domain users", "group": "TAZNET2\\domain users", "builtin": false, "sudo": false, "sudo_nopasswd": false, "sudo_commands": [], "users": [], "local": false, "id_type_both": true } ]

Does this mean I need to do this query for every group and user?

 

[sgt_jamez]

I am guessing there's an issue with ID mapping?

Should it be worth noting that my AD server is Samba-based and not a Windows Server?