[Samba] Valid Users Does Not Like My AD Group or Syntax

Rowland Penny rpenny at samba.org
Sun Jan 29 21:54:08 UTC 2023

On 29/01/2023 21:42, E R via samba wrote:
> I have duplicated the issue with RHEL 8.7 and RHEL 9.1.  Sadly, they use
> the same 4.16.4 version of Samba so my efforts were wasted a bit.
>> Winbind caches the data for the time you mention, then queries the DC
>> again, so it is unlikely to be that, but if you must, you can run 'net
>> cache flush' as root, but be aware that it will totally empty the cache
> This command did not cause any change for me.
>> I wonder if +"MYDOMAIN\Samba-www-test" will work
> This syntax did not change anything.
>> This is all weird, why did it start working ???
> As near as I can tell there appears to be some type of caching issue since
> a newly created Active Directory Security Group (Global and Security
> settings) is not usable for over an hour but less than 2 hours.  I have
> reviewed logs on Windows Domain Controllers and do not see an issue.  I
> have confirmed that a security group created on one DC is replicated to the
> others.  There may be an issue without our Windows AD configuration that I
> am not seeing.  I do know I cannot use "strong" for the kerberos encryption
> types setting as I reviewed all the settings in smb.conf documentation in
> an effort to tighten security.
> Once the share started working I tested adding an existing user to that
> security group and I was able to immediately access the share with the
> other user account on another VM.  So changes made to an existing group are
> seen immediately, but a new group takes some time before Samba can see that
> the group exists.  Real head scratcher!
> Absent my finding the root cause I am wondering if I should use groups that
> are local on the Samba server and include the Windows AD account in the
> groups.

The problem with that is that, if winbind is setup correctly (and it 
sounds like yours is) AD groups become local groups.

Just two thoughts, you could try removing the 'winbind enum' lines, they 
are not required for winbind to work, the other is, is nscd running ? If 
it is, try stopping it, it can do funny things to winbind.


