Univention Bugzilla – Bug 44114
Windows 2012 fails to lookup domain group in explorer security permissions dialog
Last modified: 2017-03-28 17:52:18 CEST
Created attachment 8668 [details] w2k12_ucs43_group_lookup_fails.png Windows 2012 (W2k12) client joined against Samba 4.6.1 (UCS 4.2 RC): Add a group "group1" via UMC, log in as Domain Admin (or user) to joined W2K12 client and open explorer. Choose any file and right-click on Properties. In the Properties dialog box click the Security tab and click the Add button. Enter the group name in the dialog and click on "Check Names" -> another dialog pops up, saying that the group could not be found. See attached screenshot. By default the "From this location" field is set to the domain name. Change it by clicking on "Locations ..." and select "Entire Directory". Now, when I click "Check Names" again, the group is found. I only saw this issue with a W2K12 client. Group resolution worked with Windows 7, 8.1, 10 and W2k8R2. My domain was a full product test domain with Master, Backup, Slave, Member and Slave-RODC. Even after stopping the Samba processes on all servers but the master and rebooting the issue was reproducible.
Created attachment 8669 [details] w2k12_ucs42_group_lookup_works.png Screenshot from working group resolution with Location set to "Entire Domain"
Created attachment 8670 [details] w2k12_ucs42_group_browsing_missing_group1.png This screenshot shows "group1" is missing in the browse result of Security Tab > Add > Advanced > Search Now
Created attachment 8671 [details] w2k12_ucs42_group_browsing_finding_group1.png This screenshot shows "group1" is shown in the browse result of Security Tab > Add > Advanced > Search Now when "From this location" is set to "Entire Domain". Note: I guess that the lookup for "Entire Domain" runs against the global catalog (port 3268).
This issue doesn't happen with the UCS specific group "Backup Join".
Maybe it's an effect of the RODC: Apparently that system doesn't replicate properly. Neither "group1" nor additionally created user or group objects are replicated there, see Bug 44115).
Works again after fixing Bug 44115 locally.