[Samba] Valid Users Does Not Like My AD Group or Syntax

Rowland Penny rpenny at samba.org
Sun Jan 29 09:51:55 UTC 2023

On 28/01/2023 23:57, E R via samba wrote:
> I think I may be having an issue with Winbind caching groups longer than
> the default of 300 seconds as I have not configured this setting!  What
> file(s) hold this info?  Can I safely delete the file(s)?

Winbind caches the data for the time you mention, then queries the DC 
again, so it is unlikely to be that, but if you must, you can run 'net 
cache flush' as root, but be aware that it will totally empty the cache.

> As you suggested I increased the logging to 5, removed the "+" and put the
> entire setting in quotes:
> valid users = "MYDOMAIN\Samba-www-test"
> I found these log entries curious:
> SID MYDOMAIN\Samba-www-test is not in a valid format
> MYDOMAIN\Samba-www-test is a Domain Group, expected a user

I wonder if +"MYDOMAIN\Samba-www-test" will work
> I changed the valid users back to what I used initially since I was curious
> what I would see in the logs:
> valid users = +MYDOMAIN\"samba-www-test"
> I did not find any log entry about being a Domain Group, just this message
> I see very often:
> SID +MYDOMAIN\samba-www-test is not in a valid format
> But at this point the network drive mapped successfully!  I kept reading
> last night, but didn't make any changes to the smb.conf file.
> I created a new AD group on the Windows DC with a "-2" in the name and
> populated it with my user ID, updated smb.conf with the new name, restarted
> smbd and winbind and I am back at the same issue as last night.  If I
> remove the "-2" and restart things I am able to map and access the share
> again.  I looked at the Windows domain controller and could not find any
> replication errors.  I noticed in the logs that Samba seems to use DC #2 so
> I connected there and confirmed the new security group was present.  After
> an hour and half of testing I still cannot access the share when I use the
> "-2" group, but no issues when I use the original group.  At about 1 hour
> and 45 minutes the "-2" group began working.  It really looks like I have
> some type of cache problem with the groups.

This is all weird, why did it start working ???

> RHEL 7.9 which is using an older version of Samba as you might guess:
> 4.10.16.  I am stuck on this version of RHEL due to app issues in an in
> house program that we use Samba to allow specific employees to edit files.

Samba 4.10.16 is EOL from the Samba point of view, so you are unlikely 
to get that version fixed (if indeed it is a bug), but as you are using 
RHEL, don't you have a red-hat contract ? If so, it might be time to get 
them involved.


More information about the samba mailing list