Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5533: Samba intermittently not recognizing all AD group memberships

Centrify DirectControl Plugins ,  

12 April,16 at 11:48 AM

Applies to:

All versions of Centrify-Enabled Samba on all platforms


Problem:

It is observed on one or more servers with Centrify-Enabled Samba installed that one or more group memberships for AD users are not being recognized when accessing shares.  This is happening seemingly randomly to random users on a server that was working without issue previously.  

After investigating with the AD team it was determined that one or more Windows 2012 DCs were recently deployed in the domain however your Domain Functional Level (DFL) was not modified so they should be compatible with all other DCs running older Windows OS versions.  


Cause:

Windows 2012 has a new feature called "SID compression" which is enabled by default regardless of the DFL level.  SID compression is not supported in open source Samba version 3.6.x which Centrify-Enabled Samba is based on.  


Workaround:

Request your AD team disable SID compression on all Windows 2012 DCs temporarily as per the Microsoft article below:

http://social.technet.microsoft.com/wiki/contents/articles/20886.kdc-resource-sid-compression.aspx


Resolution:

This will be resolved in an upcoming release of Centrify-Enabled Samba that will be based on open sourse Samba 4.x which supports SID compression.  

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.