Bug 11787 - Winbind cannot parse ADS domain local groups when using a Windows 2012 KDC with SID compression enabled.
Summary: Winbind cannot parse ADS domain local groups when using a Windows 2012 KDC wi...
Status: RESOLVED DUPLICATE of bug 11328
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.1.6
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-03-11 11:24 UTC by Riny Meester
Modified: 2016-03-11 13:29 UTC (History)
1 user (show)

See Also:

samba log output 2012 (158.14 KB, text/plain)
2016-03-11 11:24 UTC, Riny Meester
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Riny Meester 2016-03-11 11:24:01 UTC
Created attachment 11909 [details]
samba log output 2012


We have a few samba servers running which are configured as member servers in our Windows2003/2008 domain, and serve a few shares.
The security is established using "valid users = group" in smb.conf.

Recently, a new Windows 2012 domain controller is deployed in the domain.
Since then, sometimes windows clients are unable to connect to those shares using the \\server\share format , they receive an access denied. The problem only occurred when the new 2012 doamin controller was used by kerberos as KDC.
when connecting to \\ip-address\share the problem did not occur.
Also, when specifying Domain global or Domain Universal groups, the problem did not occur.

It turns out the problem is related to the new SID compression technique used by Windows 2012. When we disabled compression the problem was solved.
see the following technet article regarding SID compression:

So it seems winbind does not parse the groups correctly when using KDC's who use SID compression.
Attached you will find a log level 10 samba log output when connecting using a 2012 KDC which fails.
Comment 1 Stefan Metzmacher 2016-03-11 13:29:22 UTC
This is fixed in 4.1.20

*** This bug has been marked as a duplicate of bug 11328 ***