Samba update breaks AD authentication

We’ve got a Samba server running on a CentOS 6.7 server. As part of the CentOS 6.7 upgrade a new Samba package was also installed. The packages were specifically:

• samba-common-3.6.23-20.el6.x86_64
• samba-winbind-clients-3.6.23-20.el6.x86_64
• samba-client-3.6.23-20.el6.x86_64
• samba4-libs-4.0.0-66.el6_6.rc4.x86_64
• samba-winbind-3.6.23-20.el6.x86_64
• samba-3.6.23-20.el6.x86_64

Our Samba server is tied into a Windows 2003 Domain and we use groups to provide access to the shares on the CentOS server. It had also been running perfectly fine for months to years.

After the upgrade and restart of Samba users started receiving the following error when trying to access the share:

or

“<SHARE NAME> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

The group name could not be found”

After a significant amount of troubleshooting, reading and re-reading of the patch notes for this Samba update (https://rhn.redhat.com/errata/RHBA-2015-1383.html) I kept getting stuck on this:

* When the “winbind use default domain = yes” setting was used in combinationwith the “force user = AD_user_name” setting in the /etc/samba/smb.conf file, the AD domain user specified in the “force user” attribute could not access the share. With this update, setting “winbind use default domain = yes” no longer prevents the AD domain user from accessing the share in the described situation. (BZ#1201611)

In our configuration we have “winbind use default domain = yes” set AND we use “force user =”. The only difference is that we weren’t using “force user = <Domain User>” we were using “force user = <Local User>”

I commented out the line “winbind use default domain = yes” in ‘/etc/samba/smb.conf’, restarted Samba and the problem was resolved.

This issue caused both domain logins to fail AND logins with local credentials.