samba3.x & members of groups defined with scope 'domain local' in AD, getting NT_STATUS_ACCESS_DENIED

Solution Unverified - Updated -

Issue

AD users, members of groups defined with scope 'domain local' in AD, getting NT_STATUS_ACCESS_DENIED even if the correct AD group is configured under the "valid users" parameter
If the infrastructure combines both 2012AD and AD of previous releases, this only occurs when the 2012 DC is used as KDC by the clients

[2016/08/05 14:44:11.239420, 10, pid=4644] passdb/lookup_sid.c:76(lookup_name)
  lookup_name: DOMAIN\ADgroup => domain=[DOMAIN], name=[ADGroup]
[2016/08/05 14:44:11.239445, 10, pid=4644] passdb/lookup_sid.c:77(lookup_name)
  lookup_name: flags = 0x077
[2016/08/05 14:44:11.239854, 10, pid=4644] smbd/share_access.c:219(user_ok_token)
  User 'DOMAIN/ADuser' not in 'valid users'
[2016/08/05 14:44:11.239884,  2, pid=4644] smbd/service.c:627(create_connection_session_info)
  user 'DOMAIN/ADuser' (from session setup) not permitted to access this share (Samba_Share)
[2016/08/05 14:44:11.239910,  1, pid=4644] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Environment

RHEL6.x & samba 3.x
Win 2012 DC acting as KDC

under share definition in smb.conf
valid users = @DOMAIN\ADgroup // note: group defined with scope 'domain local' in AD

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content