[Samba] Valid Users Does Not Like My AD Group or Syntax

E R fasteddieinaustin at gmail.com
Mon Jan 30 17:39:39 UTC 2023


>The problem with that is that, if winbind is setup correctly (and it
>sounds like yours is) AD groups become local groups.

Other than the oddity of not seeing updates to a security group for an hour
or so, everything seems to be working well.  I created a local group and
populated with AD user names and used the valid users @groupname syntax.  I
am still able to chgrp to the newly created AD group and it works just fine.

>Just two thoughts, you could try removing the 'winbind enum' lines, they
>are not required for winbind to work, the other is, is nscd running ? If
>it is, try stopping it, it can do funny things to winbind.


I do not see nscd running and removing the 'winbind enum' lines didn't
change anything.  I also setup Rocky Linux and Alma Linux (4.16.4 Samba)
and they have the same behavior.  Finally, I went on a "treasure hunt" with
Ubuntu (4.15.13) to get it setup as well with the same behavior.  (I have
not used Ubuntu so the package names are different.)

On Sun, Jan 29, 2023 at 3:54 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

>
>
> On 29/01/2023 21:42, E R via samba wrote:
> > I have duplicated the issue with RHEL 8.7 and RHEL 9.1.  Sadly, they use
> > the same 4.16.4 version of Samba so my efforts were wasted a bit.
> >
> >> Winbind caches the data for the time you mention, then queries the DC
> >> again, so it is unlikely to be that, but if you must, you can run 'net
> >> cache flush' as root, but be aware that it will totally empty the cache
> >
> > This command did not cause any change for me.
> >
> >> I wonder if +"MYDOMAIN\Samba-www-test" will work
> >
> > This syntax did not change anything.
> >
> >> This is all weird, why did it start working ???
> >
> > As near as I can tell there appears to be some type of caching issue
> since
> > a newly created Active Directory Security Group (Global and Security
> > settings) is not usable for over an hour but less than 2 hours.  I have
> > reviewed logs on Windows Domain Controllers and do not see an issue.  I
> > have confirmed that a security group created on one DC is replicated to
> the
> > others.  There may be an issue without our Windows AD configuration that
> I
> > am not seeing.  I do know I cannot use "strong" for the kerberos
> encryption
> > types setting as I reviewed all the settings in smb.conf documentation in
> > an effort to tighten security.
> >
> > Once the share started working I tested adding an existing user to that
> > security group and I was able to immediately access the share with the
> > other user account on another VM.  So changes made to an existing group
> are
> > seen immediately, but a new group takes some time before Samba can see
> that
> > the group exists.  Real head scratcher!
> >
> > Absent my finding the root cause I am wondering if I should use groups
> that
> > are local on the Samba server and include the Windows AD account in the
> > groups.
>
> The problem with that is that, if winbind is setup correctly (and it
> sounds like yours is) AD groups become local groups.
>
> Just two thoughts, you could try removing the 'winbind enum' lines, they
> are not required for winbind to work, the other is, is nscd running ? If
> it is, try stopping it, it can do funny things to winbind.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list