[Samba] Problem with a leading space on group names

Θεόφιλος Ιντζόγλου int.teo at gmail.com
Thu Jun 12 08:04:19 UTC 2025 

Hi,

I have setup a samba ad dc at the office on a debian linux server (bookworm). The linux workstations (also debian bookworm) that have joined the domain present a peculiar problem where some times after the login if you check the groups that the user belongs to using id, some of the groups appear with an extra space in front of the group name which causes problems when trying to authenticate the user with specific services. After a while the problem seems to fix itself and rarely it can reoccur.

Upgrading samba from 4.17 to 4.22 on the workstations doesn’t solve the problem, and I wasn’t able to find a bug report on bugzilla that would indicate a problem with a specific version of samba.

Login works all the time both from sddm and using ssh.

/etc/samba/smb.conf (on workstations):

[global]

workgroup = MYDOMAIN
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = member server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
kerberos method = secrets and keytab
realm = MYDOMAIN.INTERNAL
template homedir = /home/%D/%U
template shell = /bin/bash
security = ads
idmap config MYDOMAIN : range = 2000000-2999999
idmap config MYDOMAIN : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind request timeout = 10
winbind enum groups = yes
winbind enum users = yes
apply group policies = yes
printing = CUPS


Is there a known issue with winbind that could cause such behaviour or is it a miscofiguration from my part?

-- 
()  ascii ribbon campaign - against html mail
/\                        - against microsoft attachments

More information about the samba mailing list