Problem:After upgrading to Centrify Adbindproxy version 5.5.2, any AD groups listed in the valid users list for a share in the smb.conf that are not Zone Enabled with an unix group will not be recognized and will result in users whom are members of those groups not being able to access the samba share.
Cause:This is expected behavior. In the Centrify Adbindproxy 5.5.2 release, the way
wbinfo behaves was changed to intercept winbindd calls, so that
wbinfo will only show zone enabled users and groups. This was done to make the output of the
wbinfo and
adquery commands show consistent results. Those calls are also used to validate the users and groups in the
'valid users' list.
AD users have to be zone enabled with an Unix Profile and have a valid role (Unix Login or Listed) in order to be able to access to the share, so it was made consistent between the users and the groups.
Now groups also have to be zone enabled in order to be used in
'valid users' list.
Workaround:If it is preferred to not Zone Enable your groups with a Unix profile in Access Manager, there is a setting that can be added to the
/etc/centrifydc/centrifydc.conf file to disable this new feature.
samba.adbindd.intercept: false
By default, this parameter is true.
If it is disabled by changing the setting to false, adbindproxy will not intercept the winbindd lookup calls, and
'wbinfo' and '
valid users' will work as it did previously.
Resolution:Zone Enable any AD groups used in the valid users list for samba shares in the
/etc/samba/smb.conf file, with an Unix Profile in Access Manager in the zone where the machine resides.
Note:For more information, please see the
Release Notes for Adbindproxy 5.5.2