We run Samba (4.3.5) on CentOS 7x64 as an AD domain controller, and we have another CentOS 6x64 server that has been joined to the domain which provides a Samba (also 4.3.5) share to our AD users.

Fairly frequently (nearly every day), and with no clear reason I can ascertain, a random business user will complain: "I cannot access the shared drive"

On investigation I reliably find that, on the Linux server hosting the share, the following is the case:

# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
osdevelopment
domain users
osdirector
ossecurity
dnsadmins
osfinance
oslegal
osvpn


# id problemusername
uid=10010 gid=10001(osdirector) groups=4294967295,10001(osdirector),10013(domain admins),10000(osdevelopment),10004(ossecurity),10005(osvpn),10014(domain users),2000(BUILTIN\administrators),2001(BUILTIN\users)

The groups obviously vary depending on problemusername, but in every case the first group in the list shows up as a non-existant group id of 4294967295

To correct the problem is simple, on the server hosting the share I simply type:

# net cache flush

Immediately re-running

# id problemusername
uid=10010 gid=10001(osdirector) groups=10001(osdirector),10013(domain admins),10000(osdevelopment),10004(ossecurity),10005(osvpn),10014(domain users),2000(BUILTIN\administrators),2001(BUILTIN\users)

ie, the identically list BUT WITHOUT the 4294967295 group, and hey presto problemusernameis again able to access the shared drive.

And so all is fine ....until another random user contacts me and says "I cannot access the shared drive"

Just for interest 4294967295 is not a random number as searching returns the following wikipedia entry https://en.wikipedia.org/wiki/4294967295