[Samba] Samba domain member - force group not working

Thu Dec 17 12:38:32 UTC 2020

hello all

we use:
- Domain controller (NT4 style): samba4-4.2.10-15.el6.x86_64 (dist 
packages), CentOS release 6.10 (Final)
- Domain member server: samba-4.12.3-12.el8.3.x86_64 (dist packages), 
CentOS Linux release 8.3.2011

the problem is with "force group" setting on share on domain member server.
before we moved to centos 8/samba 4.12, we used same centos 6/samba 4.2 
same as on PDC and everything worked fine.
right now on new system/samba we are unable to get it working.

Windows error: Network drive is not accessible. (...). The group name 
could not be found.

Samba log:
[2020/12/17 13:32:11.207094,  3] ../../lib/util/access.c:371(allow_access)
   Allowed connection from 192.168.1.6 (192.168.1.6)
[2020/12/17 13:32:11.207156,  3] 
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
   string_to_sid: SID +Domain Users is not in a valid format
[2020/12/17 13:32:11.221933,  3] 
../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_NO_SUCH_GROUP] || at ../../source3/smbd/smb2_tcon.c:142

Setup on domain member server:
- we are running smb, nmb and winbind
- in nslookup.conf:
passwd:     files winbind sss systemd
group:      files winbind sss systemd

# wbinfo  -t
checking the trust secret for domain GLOBESY via RPC calls succeeded
# wbinfo  -g | grep domain
domain admins
domain users
domain guests
domain computers
# wbinfo -n "Domain Users"
S-1-5-21-3475061560-2576973763-2360094-513 SID_DOM_GROUP (2)
# id test.user
uid=1067(test.user) gid=100(users) groups=100(users),512(Domain 
Admins),513(Domain Users),

[global]
         workgroup = WRKGROUP
         server string = File Server
         netbios name = FILESRV
         interfaces = lo ens18
         hosts allow = 127. 10.0.0.0/8 192.168.0.0/16
         hosts deny = 0.0.0.0/0
         log file = /var/log/samba/log.%m
         max log size = 50
         log level = 3
         security = domain
         passdb backend = tdbsam
         password server = A.B.C.D
         local master = yes
         wins support = no
         wins server = A.B.C.D
         host msdfs = yes
         winbind use default domain = yes
         winbind separator = \
         vfs objects = full_audit
         full_audit:prefix = %u|%I|%m|%S
         full_audit:success = mkdir rename unlink rmdir pwrite
         full_audit:failure = none
         full_audit:facility = local7
         full_audit:priority = NOTICE

[store]
         path = /var/lib/samba/store
         browseable = yes
         writeable = yes
         public = no
         valid users = +"Domain Users"
         force group = "Domain Users"
         msdfs root = yes
         create mask = 0775
         directory mask = 0775

whats wrong?

thanks

michal