RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1255250 - force group not working when winbind use default domain = true
Summary: force group not working when winbind use default domain = true
Keywords:
Status: CLOSED DUPLICATE of bug 1252180
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: samba
Version: 6.7
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-20 06:39 UTC by Shane
Modified: 2015-08-27 22:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-20 09:37:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Shane 2015-08-20 06:39:38 UTC 
Description of problem:
Since updating to the latest Samba (from RHEL 6.6 to 6.7) at time of writing, Samba shares can no longer be accessed from a Windows guest using active directory credentials if "winbind use default domain = true" is set along with the share specific settings "force user = admin", and "force group = admin". Samba is setup with security = ads, using kerberos auth, and wbinfo shows all things to be as they should.

Either disabling "force group" on the share or setting "winbind use default domain = false" resolve the issue and the share can be accessed. Obviously this isn't ideal.

The error presented on Windows client is: "The specified group does not exist.". No errors are shown in /var/log/messages, nor any in samba log files with default logging levels set.

In this case, 'admin' is a local user/group (no 501 for both) account. Nsswitch (probably isn't relevant) has correct ordering of files before winbind.

Before updating to this newer Samba (admittedly lots of other rpm's were also updated as part of a transition to 6.7, so I can't be 100% sure it's samba specific) everything was peachy.

Version-Release number of selected component (if applicable):
samba-3.6.23-20.el6.x86_64

How reproducible:
Every time, on multiple servers

Steps to Reproduce:
1. Setup AD, Kerberos, winbind integration
2. set security = ads, winbind use default domain = true in smb.conf
3. set share specific options valid users = @"DOMAIN\ad_goup", force user = admin and force group = admin

Actual results:
Windows client fails to access the share with the error "The specified group does not exist."

Expected results:
Access to the share should be granted.

Additional info:
Comment 2 Andreas Schneider 2015-08-20 09:37:55 UTC 

*** This bug has been marked as a duplicate of bug 1252180 ***
Comment 3 Shane 2015-08-21 03:54:26 UTC 
Because the referred bug is internal to Redhat and therefore inaccessible to me, I'll add some additional notes here in-case they haven't been identified in bug 1252180.

It seems as if "force group" can no longer reference the name of a group that matches a username. For example, "force group = builder" works, whereas "force group = bob" does not because there is a user named "bob", even though there is also an associated group named "bob" and thus it should be ok.

The problem occurs in the opposite fashion with "force user", where if "force user = webdev" is set and there is an AD Security Group called "webdev", the share cannot be accessed.
Comment 4 Andreas Schneider 2015-08-24 15:57:20 UTC 
The upstream bug fixing the issue is:

https://bugzilla.samba.org/show_bug.cgi?id=11320
Comment 5 Dietrich Streifert 2015-08-27 08:51:46 UTC 
As a workaround for our use case, with the local user and group apache, we used the local domain prefix "Unix Group" to work around the bug. So we changed the share configuration from

    force group = apache

to

    force group = Unix Group\apache

Note that the separator (here backslash) is configurable. You can use wbinfo --separator to get the value for your installation.

While waiting for the fix ....
Comment 6 Shane 2015-08-27 22:24:21 UTC 
Thanks Dietrich, that's great. I was hoping it would be that easy, but could not find the correct prefix to use.
Note You need to log in before you can comment on or make changes to this bug.