Rowland Penny
2023-Jan-29 09:51 UTC
[Samba] Valid Users Does Not Like My AD Group or Syntax
On 28/01/2023 23:57, E R via samba wrote:> I think I may be having an issue with Winbind caching groups longer than > the default of 300 seconds as I have not configured this setting! What > file(s) hold this info? Can I safely delete the file(s)?Winbind caches the data for the time you mention, then queries the DC again, so it is unlikely to be that, but if you must, you can run 'net cache flush' as root, but be aware that it will totally empty the cache.> > As you suggested I increased the logging to 5, removed the "+" and put the > entire setting in quotes: > > valid users = "MYDOMAIN\Samba-www-test" > > I found these log entries curious: > SID MYDOMAIN\Samba-www-test is not in a valid format > MYDOMAIN\Samba-www-test is a Domain Group, expected a userI wonder if +"MYDOMAIN\Samba-www-test" will work> > I changed the valid users back to what I used initially since I was curious > what I would see in the logs: > > valid users = +MYDOMAIN\"samba-www-test" > > I did not find any log entry about being a Domain Group, just this message > I see very often: > SID +MYDOMAIN\samba-www-test is not in a valid format > > But at this point the network drive mapped successfully! I kept reading > last night, but didn't make any changes to the smb.conf file. > > I created a new AD group on the Windows DC with a "-2" in the name and > populated it with my user ID, updated smb.conf with the new name, restarted > smbd and winbind and I am back at the same issue as last night. If I > remove the "-2" and restart things I am able to map and access the share > again. I looked at the Windows domain controller and could not find any > replication errors. I noticed in the logs that Samba seems to use DC #2 so > I connected there and confirmed the new security group was present. After > an hour and half of testing I still cannot access the share when I use the > "-2" group, but no issues when I use the original group. At about 1 hour > and 45 minutes the "-2" group began working. It really looks like I have > some type of cache problem with the groups.This is all weird, why did it start working ???> > RHEL 7.9 which is using an older version of Samba as you might guess: > 4.10.16. I am stuck on this version of RHEL due to app issues in an in > house program that we use Samba to allow specific employees to edit files. >Samba 4.10.16 is EOL from the Samba point of view, so you are unlikely to get that version fixed (if indeed it is a bug), but as you are using RHEL, don't you have a red-hat contract ? If so, it might be time to get them involved. Rowland
I have duplicated the issue with RHEL 8.7 and RHEL 9.1. Sadly, they use the same 4.16.4 version of Samba so my efforts were wasted a bit.>Winbind caches the data for the time you mention, then queries the DC >again, so it is unlikely to be that, but if you must, you can run 'net > cache flush' as root, but be aware that it will totally empty the cacheThis command did not cause any change for me.>I wonder if +"MYDOMAIN\Samba-www-test" will workThis syntax did not change anything.>This is all weird, why did it start working ???As near as I can tell there appears to be some type of caching issue since a newly created Active Directory Security Group (Global and Security settings) is not usable for over an hour but less than 2 hours. I have reviewed logs on Windows Domain Controllers and do not see an issue. I have confirmed that a security group created on one DC is replicated to the others. There may be an issue without our Windows AD configuration that I am not seeing. I do know I cannot use "strong" for the kerberos encryption types setting as I reviewed all the settings in smb.conf documentation in an effort to tighten security. Once the share started working I tested adding an existing user to that security group and I was able to immediately access the share with the other user account on another VM. So changes made to an existing group are seen immediately, but a new group takes some time before Samba can see that the group exists. Real head scratcher! Absent my finding the root cause I am wondering if I should use groups that are local on the Samba server and include the Windows AD account in the groups. On Sun, Jan 29, 2023 at 3:52 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> > > On 28/01/2023 23:57, E R via samba wrote: > > I think I may be having an issue with Winbind caching groups longer than > > the default of 300 seconds as I have not configured this setting! What > > file(s) hold this info? Can I safely delete the file(s)? > > Winbind caches the data for the time you mention, then queries the DC > again, so it is unlikely to be that, but if you must, you can run 'net > cache flush' as root, but be aware that it will totally empty the cache. > > > > > As you suggested I increased the logging to 5, removed the "+" and put > the > > entire setting in quotes: > > > > valid users = "MYDOMAIN\Samba-www-test" > > > > I found these log entries curious: > > SID MYDOMAIN\Samba-www-test is not in a valid format > > MYDOMAIN\Samba-www-test is a Domain Group, expected a user > > I wonder if +"MYDOMAIN\Samba-www-test" will work > > > > I changed the valid users back to what I used initially since I was > curious > > what I would see in the logs: > > > > valid users = +MYDOMAIN\"samba-www-test" > > > > I did not find any log entry about being a Domain Group, just this > message > > I see very often: > > SID +MYDOMAIN\samba-www-test is not in a valid format > > > > But at this point the network drive mapped successfully! I kept reading > > last night, but didn't make any changes to the smb.conf file. > > > > I created a new AD group on the Windows DC with a "-2" in the name and > > populated it with my user ID, updated smb.conf with the new name, > restarted > > smbd and winbind and I am back at the same issue as last night. If I > > remove the "-2" and restart things I am able to map and access the share > > again. I looked at the Windows domain controller and could not find any > > replication errors. I noticed in the logs that Samba seems to use DC #2 > so > > I connected there and confirmed the new security group was present. > After > > an hour and half of testing I still cannot access the share when I use > the > > "-2" group, but no issues when I use the original group. At about 1 hour > > and 45 minutes the "-2" group began working. It really looks like I have > > some type of cache problem with the groups. > > This is all weird, why did it start working ??? > > > > > RHEL 7.9 which is using an older version of Samba as you might guess: > > 4.10.16. I am stuck on this version of RHEL due to app issues in an in > > house program that we use Samba to allow specific employees to edit > files. > > > > Samba 4.10.16 is EOL from the Samba point of view, so you are unlikely > to get that version fixed (if indeed it is a bug), but as you are using > RHEL, don't you have a red-hat contract ? If so, it might be time to get > them involved. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >