[Samba] Valid Users Does Not Like My AD Group or Syntax

E R fasteddieinaustin at gmail.com
Sun Jan 29 21:42:00 UTC 2023 

I have duplicated the issue with RHEL 8.7 and RHEL 9.1.  Sadly, they use
the same 4.16.4 version of Samba so my efforts were wasted a bit.

>Winbind caches the data for the time you mention, then queries the DC
>again, so it is unlikely to be that, but if you must, you can run 'net
> cache flush' as root, but be aware that it will totally empty the cache

This command did not cause any change for me.

>I wonder if +"MYDOMAIN\Samba-www-test" will work

This syntax did not change anything.

>This is all weird, why did it start working ???

As near as I can tell there appears to be some type of caching issue since
a newly created Active Directory Security Group (Global and Security
settings) is not usable for over an hour but less than 2 hours.  I have
reviewed logs on Windows Domain Controllers and do not see an issue.  I
have confirmed that a security group created on one DC is replicated to the
others.  There may be an issue without our Windows AD configuration that I
am not seeing.  I do know I cannot use "strong" for the kerberos encryption
types setting as I reviewed all the settings in smb.conf documentation in
an effort to tighten security.

Once the share started working I tested adding an existing user to that
security group and I was able to immediately access the share with the
other user account on another VM.  So changes made to an existing group are
seen immediately, but a new group takes some time before Samba can see that
the group exists.  Real head scratcher!

Absent my finding the root cause I am wondering if I should use groups that
are local on the Samba server and include the Windows AD account in the
groups.

On Sun, Jan 29, 2023 at 3:52 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

>
>
> On 28/01/2023 23:57, E R via samba wrote:
> > I think I may be having an issue with Winbind caching groups longer than
> > the default of 300 seconds as I have not configured this setting!  What
> > file(s) hold this info?  Can I safely delete the file(s)?
>
> Winbind caches the data for the time you mention, then queries the DC
> again, so it is unlikely to be that, but if you must, you can run 'net
> cache flush' as root, but be aware that it will totally empty the cache.
>
> >
> > As you suggested I increased the logging to 5, removed the "+" and put
> the
> > entire setting in quotes:
> >
> > valid users = "MYDOMAIN\Samba-www-test"
> >
> > I found these log entries curious:
> > SID MYDOMAIN\Samba-www-test is not in a valid format
> > MYDOMAIN\Samba-www-test is a Domain Group, expected a user
>
> I wonder if +"MYDOMAIN\Samba-www-test" will work
> >
> > I changed the valid users back to what I used initially since I was
> curious
> > what I would see in the logs:
> >
> > valid users = +MYDOMAIN\"samba-www-test"
> >
> > I did not find any log entry about being a Domain Group, just this
> message
> > I see very often:
> > SID +MYDOMAIN\samba-www-test is not in a valid format
> >
> > But at this point the network drive mapped successfully!  I kept reading
> > last night, but didn't make any changes to the smb.conf file.
> >
> > I created a new AD group on the Windows DC with a "-2" in the name and
> > populated it with my user ID, updated smb.conf with the new name,
> restarted
> > smbd and winbind and I am back at the same issue as last night.  If I
> > remove the "-2" and restart things I am able to map and access the share
> > again.  I looked at the Windows domain controller and could not find any
> > replication errors.  I noticed in the logs that Samba seems to use DC #2
> so
> > I connected there and confirmed the new security group was present.
> After
> > an hour and half of testing I still cannot access the share when I use
> the
> > "-2" group, but no issues when I use the original group.  At about 1 hour
> > and 45 minutes the "-2" group began working.  It really looks like I have
> > some type of cache problem with the groups.
>
> This is all weird, why did it start working ???
>
> >
> > RHEL 7.9 which is using an older version of Samba as you might guess:
> > 4.10.16.  I am stuck on this version of RHEL due to app issues in an in
> > house program that we use Samba to allow specific employees to edit
> files.
> >
>
> Samba 4.10.16 is EOL from the Samba point of view, so you are unlikely
> to get that version fixed (if indeed it is a bug), but as you are using
> RHEL, don't you have a red-hat contract ? If so, it might be time to get
> them involved.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list