The Samba-Bugzilla – Bug 11787
Winbind cannot parse ADS domain local groups when using a Windows 2012 KDC with SID compression enabled.
Last modified: 2016-03-11 13:29:22 UTC
Created attachment 11909 [details]
samba log output 2012
We have a few samba servers running which are configured as member servers in our Windows2003/2008 domain, and serve a few shares.
The security is established using "valid users = group" in smb.conf.
Recently, a new Windows 2012 domain controller is deployed in the domain.
Since then, sometimes windows clients are unable to connect to those shares using the \\server\share format , they receive an access denied. The problem only occurred when the new 2012 doamin controller was used by kerberos as KDC.
when connecting to \\ip-address\share the problem did not occur.
Also, when specifying Domain global or Domain Universal groups, the problem did not occur.
It turns out the problem is related to the new SID compression technique used by Windows 2012. When we disabled compression the problem was solved.
see the following technet article regarding SID compression:
So it seems winbind does not parse the groups correctly when using KDC's who use SID compression.
Attached you will find a log level 10 samba log output when connecting using a 2012 KDC which fails.
This is fixed in 4.1.20
*** This bug has been marked as a duplicate of bug 11328 ***