Michal Bruncko
2020-Dec-17 12:38 UTC
[Samba] Samba domain member - force group not working
hello all we use: - Domain controller (NT4 style): samba4-4.2.10-15.el6.x86_64 (dist packages), CentOS release 6.10 (Final) - Domain member server: samba-4.12.3-12.el8.3.x86_64 (dist packages), CentOS Linux release 8.3.2011 the problem is with "force group" setting on share on domain member server. before we moved to centos 8/samba 4.12, we used same centos 6/samba 4.2 same as on PDC and everything worked fine. right now on new system/samba we are unable to get it working. Windows error: Network drive is not accessible. (...). The group name could not be found. Samba log: [2020/12/17 13:32:11.207094,? 3] ../../lib/util/access.c:371(allow_access) ? Allowed connection from 192.168.1.6 (192.168.1.6) [2020/12/17 13:32:11.207156,? 3] ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp) ? string_to_sid: SID +Domain Users is not in a valid format [2020/12/17 13:32:11.221933,? 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_SUCH_GROUP] || at ../../source3/smbd/smb2_tcon.c:142 Setup on domain member server: - we are running smb, nmb and winbind - in nslookup.conf: passwd:???? files winbind sss systemd group:????? files winbind sss systemd # wbinfo? -t checking the trust secret for domain GLOBESY via RPC calls succeeded # wbinfo? -g | grep domain domain admins domain users domain guests domain computers # wbinfo -n "Domain Users" S-1-5-21-3475061560-2576973763-2360094-513 SID_DOM_GROUP (2) # id test.user uid=1067(test.user) gid=100(users) groups=100(users),512(Domain Admins),513(Domain Users), [global] ??????? workgroup = WRKGROUP ??????? server string = File Server ??????? netbios name = FILESRV ??????? interfaces = lo ens18 ??????? hosts allow = 127. 10.0.0.0/8 192.168.0.0/16 ??????? hosts deny = 0.0.0.0/0 ??????? log file = /var/log/samba/log.%m ??????? max log size = 50 ??????? log level = 3 ??????? security = domain ??????? passdb backend = tdbsam ??????? password server = A.B.C.D ??????? local master = yes ??????? wins support = no ??????? wins server = A.B.C.D ??????? host msdfs = yes ??????? winbind use default domain = yes ??????? winbind separator = \ ??????? vfs objects = full_audit ??????? full_audit:prefix = %u|%I|%m|%S ??????? full_audit:success = mkdir rename unlink rmdir pwrite ??????? full_audit:failure = none ??????? full_audit:facility = local7 ??????? full_audit:priority = NOTICE [store] ??????? path = /var/lib/samba/store ??????? browseable = yes ??????? writeable = yes ??????? public = no ??????? valid users = +"Domain Users" ??????? force group = "Domain Users" ??????? msdfs root = yes ??????? create mask = 0775 ??????? directory mask = 0775 whats wrong? thanks michal
On 17/12/2020 12:38, Michal Bruncko via samba wrote:> hello all > > we use: > - Domain controller (NT4 style): samba4-4.2.10-15.el6.x86_64 (dist > packages), CentOS release 6.10 (Final)Probably preaching to the converted, but Centos 6 is EOL> > the problem is with "force group" setting on share on domain member > server. > > Samba log: > ? string_to_sid: SID +Domain Users is not in a valid formatTry removing the '+' sign from here:> [store] > ??????? valid users = +"Domain Users" >You should also remove sssd if it is still installed, you cannot have sssd and winbind installed together, they both have their versions of the winbind libs. Finally, you really should look into upgrading to Samba AD, the NT4-style domains will go away, the work is being done now. Rowland