I think I may be having an issue with Winbind caching groups longer than the default of 300 seconds as I have not configured this setting! What file(s) hold this info? Can I safely delete the file(s)? As you suggested I increased the logging to 5, removed the "+" and put the entire setting in quotes: valid users = "MYDOMAIN\Samba-www-test" I found these log entries curious: SID MYDOMAIN\Samba-www-test is not in a valid format MYDOMAIN\Samba-www-test is a Domain Group, expected a user I changed the valid users back to what I used initially since I was curious what I would see in the logs: valid users = +MYDOMAIN\"samba-www-test" I did not find any log entry about being a Domain Group, just this message I see very often: SID +MYDOMAIN\samba-www-test is not in a valid format But at this point the network drive mapped successfully! I kept reading last night, but didn't make any changes to the smb.conf file. I created a new AD group on the Windows DC with a "-2" in the name and populated it with my user ID, updated smb.conf with the new name, restarted smbd and winbind and I am back at the same issue as last night. If I remove the "-2" and restart things I am able to map and access the share again. I looked at the Windows domain controller and could not find any replication errors. I noticed in the logs that Samba seems to use DC #2 so I connected there and confirmed the new security group was present. After an hour and half of testing I still cannot access the share when I use the "-2" group, but no issues when I use the original group. At about 1 hour and 45 minutes the "-2" group began working. It really looks like I have some type of cache problem with the groups. RHEL 7.9 which is using an older version of Samba as you might guess: 4.10.16. I am stuck on this version of RHEL due to app issues in an in house program that we use Samba to allow specific employees to edit files. On Sat, Jan 28, 2023 at 1:27 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> > > On 28/01/2023 18:34, E R via samba wrote: > > [root at local]# testparm -s > > Load smb config files from /etc/samba/smb.conf > > Loaded services file OK. > > Server role: ROLE_DOMAIN_MEMBER > > > > # Global parameters > > [global] > > bind interfaces only = Yes > > disable netbios = Yes > > dns proxy = No > > kerberos encryption types = strong > > load printers = No > > log file = /var/log/samba/log.%m > > ntlm auth = disabled > > realm = MYDOMAIN.COM > > security = ADS > > server signing = required > > server string = Samba Server > > unix extensions = No > > winbind enum groups = Yes > > winbind enum users = Yes > > winbind refresh tickets = Yes > > workgroup = MYDOMAIN > > idmap config * : rangesize = 1000000 > > idmap config * : range = 100000-19999999 > > idmap config * : backend = autorid > > hosts allow = 192.168.1.3 > > > > > > [www-test] > > > > comment = Samba share for test > > create mask = 0664 > > directory mask = 0775 > > path = /export/home/www/htdocs/test > > read only = No > > valid users = +MYDOMAIN\Samba-www-test > > > > > > You didn't tell us what version of Samba or the RHEL version. > > Never mind, lets go with what we have. > > Can you please raise the loglevel to 5 for a start, I think this may > cause a few more error messages to pop out that may point to the problem. > > You could also try removing the '+' from the start of the name and wrap > the entire name in quotes. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2023-Jan-29 09:51 UTC
[Samba] Valid Users Does Not Like My AD Group or Syntax
On 28/01/2023 23:57, E R via samba wrote:> I think I may be having an issue with Winbind caching groups longer than > the default of 300 seconds as I have not configured this setting! What > file(s) hold this info? Can I safely delete the file(s)?Winbind caches the data for the time you mention, then queries the DC again, so it is unlikely to be that, but if you must, you can run 'net cache flush' as root, but be aware that it will totally empty the cache.> > As you suggested I increased the logging to 5, removed the "+" and put the > entire setting in quotes: > > valid users = "MYDOMAIN\Samba-www-test" > > I found these log entries curious: > SID MYDOMAIN\Samba-www-test is not in a valid format > MYDOMAIN\Samba-www-test is a Domain Group, expected a userI wonder if +"MYDOMAIN\Samba-www-test" will work> > I changed the valid users back to what I used initially since I was curious > what I would see in the logs: > > valid users = +MYDOMAIN\"samba-www-test" > > I did not find any log entry about being a Domain Group, just this message > I see very often: > SID +MYDOMAIN\samba-www-test is not in a valid format > > But at this point the network drive mapped successfully! I kept reading > last night, but didn't make any changes to the smb.conf file. > > I created a new AD group on the Windows DC with a "-2" in the name and > populated it with my user ID, updated smb.conf with the new name, restarted > smbd and winbind and I am back at the same issue as last night. If I > remove the "-2" and restart things I am able to map and access the share > again. I looked at the Windows domain controller and could not find any > replication errors. I noticed in the logs that Samba seems to use DC #2 so > I connected there and confirmed the new security group was present. After > an hour and half of testing I still cannot access the share when I use the > "-2" group, but no issues when I use the original group. At about 1 hour > and 45 minutes the "-2" group began working. It really looks like I have > some type of cache problem with the groups.This is all weird, why did it start working ???> > RHEL 7.9 which is using an older version of Samba as you might guess: > 4.10.16. I am stuck on this version of RHEL due to app issues in an in > house program that we use Samba to allow specific employees to edit files. >Samba 4.10.16 is EOL from the Samba point of view, so you are unlikely to get that version fixed (if indeed it is a bug), but as you are using RHEL, don't you have a red-hat contract ? If so, it might be time to get them involved. Rowland