Bug 11235 - AD group not resolved correctly
Summary: AD group not resolved correctly
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.2.1
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-24 06:56 UTC by Daniele Dario
Modified: 2015-04-24 06:57 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniele Dario 2015-04-24 06:56:03 UTC 
After upgrading from 4.1.14 to 4.2.1 the resolution of some AD groups did not work properly.
The domain had two DCs, one running on a 32 bit VM guest ubuntu server 10.04 and one running on a real host 64 bit with ubuntu server 12.04 wich acts also as file server. Both DCs use internal DNS.
After upgrade, noticed that the access to shares owned by group "ufficio tecnico" by users part of that group where not permitted anymore.
Noticed that winbindd resolved the group name to a SID/GID different than that stated in sam.ldb and than users did not have permissions to connect to the share.
Trying to restart also the 32 bit VM I noticed that the problem appeared also there.
Workaround suggested by Rowland Penny was to add the line
...
   server services = -winbindd + winbind
...
in smb.conf
After doing that both DCs resolved all groups correctly.

Details on this thread
http://samba.2283325.n4.nabble.com/gid-numbers-changed-after-upgrading-from-4-1-14-to-4-2-1-tp4684825.html