Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-28615: AD groups that are not zone enabled can no longer be used in the samba share setting valid users

Authentication Service ,  

15 April,20 at 09:15 AM

Problem:

After upgrading to Centrify Adbindproxy version 5.5.2, any AD groups listed in the valid users list for a share in the smb.conf that are not Zone Enabled with an unix group will not be recognized and will result in users whom are members of those groups not being able to access the samba share.


Cause:

This is expected behavior. In the Centrify Adbindproxy 5.5.2 release, the way wbinfo behaves was changed to intercept winbindd calls, so that wbinfo will only show zone enabled users and groups. This was done to make the output of the wbinfo and adquery commands show consistent results.  Those calls are also used to validate the users and groups in the 'valid users' list.

AD users have to be zone enabled with an Unix Profile and have a valid role (Unix Login or Listed) in order to be able to access to the share, so it was made consistent between the users and the groups. 

Now groups also have to be zone enabled in order to be used in 'valid users' list.


Workaround:

If it is preferred to not Zone Enable your groups with a Unix profile in Access Manager, there is a setting that can be added to the /etc/centrifydc/centrifydc.conf file to disable this new feature.
 
samba.adbindd.intercept: false

By default, this parameter is true.

If it is disabled by changing the setting to false, adbindproxy will not intercept the winbindd lookup calls, and 'wbinfo' and 'valid users' will work as it did previously.


Resolution:

Zone Enable any AD groups used in the valid users list for samba shares in the /etc/samba/smb.conf file, with an Unix Profile in Access Manager in the zone where the machine resides.


Note:

For more information, please see the Release Notes for Adbindproxy 5.5.2
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.