samba - Jun 2025 - Problem with a leading space on group names

Hi,

I have setup a samba ad dc at the office on a debian linux server (bookworm).
The linux workstations (also debian bookworm) that have joined the domain
present a peculiar problem where some times after the login if you check the
groups that the user belongs to using id, some of the groups appear with an
extra space in front of the group name which causes problems when trying to
authenticate the user with specific services. After a while the problem seems to
fix itself and rarely it can reoccur.

Upgrading samba from 4.17 to 4.22 on the workstations doesn?t solve the problem,
and I wasn?t able to find a bug report on bugzilla that would indicate a problem
with a specific version of samba.

Login works all the time both from sddm and using ssh.

/etc/samba/smb.conf (on workstations):

[global]

workgroup = MYDOMAIN
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = member server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
kerberos method = secrets and keytab
realm = MYDOMAIN.INTERNAL
template homedir = /home/%D/%U
template shell = /bin/bash
security = ads
idmap config MYDOMAIN : range = 2000000-2999999
idmap config MYDOMAIN : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind request timeout = 10
winbind enum groups = yes
winbind enum users = yes
apply group policies = yes
printing = CUPS


Is there a known issue with winbind that could cause such behaviour or is it a
miscofiguration from my part?

-- 
()  ascii ribbon campaign - against html mail
/\                        - against microsoft attachments

Hi all,

I?m replying just in case someone else bumps into the same problem I had with 
a leading space in front of group names. The problem occured because I had an 
error in the configuration of CUPS where in cupsd.conf I was using:

Require group ?SAMDOM\ Domain Users?

(notice that I had a space in front of the name of the group). If the winbind 
cache was empty when cups was started, it would read the group ? domain users? 
and keep it in the cache. Steps to reproduce:

# net cache flush
# systemctl restart winbind
# id " domain users"
uid=2000513( domain users) gid=2000513( domain users) ??????=2000513( domain 
users)
# id user
uid=2001128(user) gid=2000513( domain users) ??????=2000513( domain 
users),2001128(user),2000512(domain admins),2000572(denied rodc password 
replication group),10001(BUILTIN\users),10000(BUILTIN\administrators)
# net cache flush
# systemctl restart winbind
# id user
uid=2001128(user) gid=2000513(domain users) ??????=2000513(domain 
users),2001128(user),2000512(domain admins),2000572(denied rodc password 
replication group),10001(BUILTIN\users),10000(BUILTIN\administrators)

Should ? domain users? (with a leading space) be considered an existing group 
by winbind or should I file a bug report?

Theofilos Intzoglou

???? ?????? 12 ??????? 2025 11:04:19??.?. ?????? ??? ?????????? ??????? 
???????:
> Hi,
> 
> I have setup a samba ad dc at the office on a debian linux server
> (bookworm). The linux workstations (also debian bookworm) that have joined
> the domain present a peculiar problem where some times after the login if
> you check the groups that the user belongs to using id, some of the groups
> appear with an extra space in front of the group name which causes problems
> when trying to authenticate the user with specific services. After a while
> the problem seems to fix itself and rarely it can reoccur.
> 
> Upgrading samba from 4.17 to 4.22 on the workstations doesn?t solve the
> problem, and I wasn?t able to find a bug report on bugzilla that would
> indicate a problem with a specific version of samba.
> 
> Login works all the time both from sddm and using ssh.
> 
> /etc/samba/smb.conf (on workstations):
> 
> [global]
> 
> workgroup = MYDOMAIN
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    logging = file
>    panic action = /usr/share/samba/panic-action %d
>    server role = member server
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:*
> %n\n *password\supdated\ssuccessfully* . pam password change = yes
>    map to guest = bad user
>    usershare allow guests = yes
> kerberos method = secrets and keytab
> realm = MYDOMAIN.INTERNAL
> template homedir = /home/%D/%U
> template shell = /bin/bash
> security = ads
> idmap config MYDOMAIN : range = 2000000-2999999
> idmap config MYDOMAIN : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind request timeout = 10
> winbind enum groups = yes
> winbind enum users = yes
> apply group policies = yes
> printing = CUPS
> 
> 
> Is there a known issue with winbind that could cause such behaviour or is
it
> a miscofiguration from my part?