Server 2012 DCs vs Samba 3.6 | ||||||
posted by Jean-Francois Panisset on Dec. 18, 2014, 4:40 a.m. | ||||||
| ||||||
Thread Tags: discuss-at-studiosysadmins | ||||||
|
Ran into an interesting issue today: some Windows 7 clients were happy to access a Samba share, others were not. Peering at Samba debug logs showed that the unhappy clients were somehow not passing all of the security group SIDs, and in particular missing the one needed for the permissions on that share. A bit of googling found references to a new feature since Server 2012 called KDC Resource SID Compression, which apparently Samba 3.6 doesn't support correctly (as well as some other third party implementations, for instance I found some references to a similar issue with NetApp OnTap, since patched). And the unhappy clients were the ones bound to a 2012R2 DC. The fix suggested in those articles worked: I disabled the feature on the DCs, and right away the problematic Windows 7 clients started being able to access the Samba share. Only slightly tricky part not mentioned in those articles is that the registry key referred to does not actually exist, you have to create it, and some of the path components are weirdly not CamelCased:http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx https://lists.samba.org/archive/samba-technical/2013-March/091301.html HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\Kdc\Parameters JF |