Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5533: Samba intermittently not recognizing all AD group memberships

Centrify DirectControl Plugins ,  

12 April,16 at 11:48 AM

Problem:

It is observed on one or more servers with Centrify-Enabled Samba installed that one or more group memberships for AD users are not being recognized when accessing shares.  This is happening seemingly randomly to random users on a server that was working without issue previously.  

After investigating with the AD team it was determined that one or more Windows 2012 DCs were recently deployed in the domain however your Domain Functional Level (DFL) was not modified so they should be compatible with all other DCs running older Windows OS versions.  

Cause:

Windows 2012 has a new feature called "SID compression" which is enabled by default regardless of the DFL level.  SID compression is not supported in open source Samba version 3.6.x which Centrify-Enabled Samba is based on.  


Workaround:

Request your AD team disable SID compression on all Windows 2012 DCs temporarily as per the Microsoft article below:

http://social.technet.microsoft.com/wiki/contents/articles/20886.kdc-resource-sid-compression.aspx

Resolution:
Centrify no longer provides Centrify Enabled Samba. Migrate to stock samba 4.x.

Addition Info:
KB-9002: Windows 2012 SID Compression
KB-1168: DirectControl and DirectAuthorize compatibility with domain and forest functional levels
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.