samba - Jan 2023 - Valid Users Does Not Like My AD Group or Syntax

On 28/01/2023 18:34, E R via samba wrote:
> [root at local]# testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
>          bind interfaces only = Yes
>          disable netbios = Yes
>          dns proxy = No
>          kerberos encryption types = strong
>          load printers = No
>          log file = /var/log/samba/log.%m
>          ntlm auth = disabled
>          realm = MYDOMAIN.COM
>          security = ADS
>          server signing = required
>          server string = Samba Server
>          unix extensions = No
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind refresh tickets = Yes
>          workgroup = MYDOMAIN
>          idmap config * : rangesize = 1000000
>          idmap config * : range = 100000-19999999
>          idmap config * : backend = autorid
>          hosts allow = 192.168.1.3
> 
> 
> [www-test]
> 
>          comment = Samba share for test
>          create mask = 0664
>          directory mask = 0775
>          path = /export/home/www/htdocs/test
>          read only = No
>          valid users = +MYDOMAIN\Samba-www-test
> 
> 
You didn't tell us what version of Samba or the RHEL version.

Never mind, lets go with what we have.

Can you please raise the loglevel to 5 for a start, I think this may 
cause a few more error messages to pop out that may point to the problem.

You could also try removing the '+' from the start of the name and wrap 
the entire name in quotes.

Rowland

I think I may be having an issue with Winbind caching groups longer than
the default of 300 seconds as I have not configured this setting!  What
file(s) hold this info?  Can I safely delete the file(s)?

As you suggested I increased the logging to 5, removed the "+" and put
the
entire setting in quotes:

valid users = "MYDOMAIN\Samba-www-test"

I found these log entries curious:
SID MYDOMAIN\Samba-www-test is not in a valid format
MYDOMAIN\Samba-www-test is a Domain Group, expected a user

I changed the valid users back to what I used initially since I was curious
what I would see in the logs:

valid users = +MYDOMAIN\"samba-www-test"

I did not find any log entry about being a Domain Group, just this message
I see very often:
SID +MYDOMAIN\samba-www-test is not in a valid format

But at this point the network drive mapped successfully!  I kept reading
last night, but didn't make any changes to the smb.conf file.

I created a new AD group on the Windows DC with a "-2" in the name and
populated it with my user ID, updated smb.conf with the new name, restarted
smbd and winbind and I am back at the same issue as last night.  If I
remove the "-2" and restart things I am able to map and access the
share
again.  I looked at the Windows domain controller and could not find any
replication errors.  I noticed in the logs that Samba seems to use DC #2 so
I connected there and confirmed the new security group was present.  After
an hour and half of testing I still cannot access the share when I use the
"-2" group, but no issues when I use the original group.  At about 1
hour
and 45 minutes the "-2" group began working.  It really looks like I
have
some type of cache problem with the groups.

RHEL 7.9 which is using an older version of Samba as you might guess:
4.10.16.  I am stuck on this version of RHEL due to app issues in an in
house program that we use Samba to allow specific employees to edit files.

On Sat, Jan 28, 2023 at 1:27 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 28/01/2023 18:34, E R via samba wrote:
> > [root at local]# testparm -s
> > Load smb config files from /etc/samba/smb.conf
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_MEMBER
> >
> > # Global parameters
> > [global]
> >          bind interfaces only = Yes
> >          disable netbios = Yes
> >          dns proxy = No
> >          kerberos encryption types = strong
> >          load printers = No
> >          log file = /var/log/samba/log.%m
> >          ntlm auth = disabled
> >          realm = MYDOMAIN.COM
> >          security = ADS
> >          server signing = required
> >          server string = Samba Server
> >          unix extensions = No
> >          winbind enum groups = Yes
> >          winbind enum users = Yes
> >          winbind refresh tickets = Yes
> >          workgroup = MYDOMAIN
> >          idmap config * : rangesize = 1000000
> >          idmap config * : range = 100000-19999999
> >          idmap config * : backend = autorid
> >          hosts allow = 192.168.1.3
> >
> >
> > [www-test]
> >
> >          comment = Samba share for test
> >          create mask = 0664
> >          directory mask = 0775
> >          path = /export/home/www/htdocs/test
> >          read only = No
> >          valid users = +MYDOMAIN\Samba-www-test
> >
> >
>
> You didn't tell us what version of Samba or the RHEL version.
>
> Never mind, lets go with what we have.
>
> Can you please raise the loglevel to 5 for a start, I think this may
> cause a few more error messages to pop out that may point to the problem.
>
> You could also try removing the '+' from the start of the name and
wrap
> the entire name in quotes.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>