[Samba] Share won't mount -- how to debug?

Patrick Goetz pgoetz at math.utexas.edu
Wed Nov 3 16:45:10 UTC 2021 

And the dramatic conclusion is that no, it wasn't the conflicting group 
name interfering with the mount:

root at samba-dc:~# samba-tool group listmembers ea-staff
dhales
whughes
mduffy

root at data2:/var/log/samba# ls -ld /data/share
drwxrwx--- 2 root ea-staff 4096 Nov  2 19:15 /data/share


root at data2:/var/log/samba# id mduffy
uid=11103(mduffy) gid=10513(domain users) groups=10513(domain 
users),11103(mduffy),11106(ea-admins),11112(ea-staff),3001(BUILTIN\users)


Same error message logged in /var/samba/log.smbd, I won't repeat it.
The getpwuid(11103) function is failing for some reason.

On 11/3/21 11:32, Patrick Goetz via samba wrote:
> Hi Roland-
> 
> On 11/3/21 11:20, Rowland Penny via samba wrote:
>> On Wed, 2021-11-03 at 10:58 -0500, Patrick Goetz via samba wrote:
>>> Sorry for spamming the list today.
>>>
>>> I'm slowly testing out my new Samba AD network. At the moment I'm
>>> trying
>>> to mount a share on a W10 client from a CMD prompt, and the mount is
>>> failing:
>>>
>>>     net use G: \\data2\share
>>>
>>> I tried a suggestion from Louis to use the FQDN:
>>>
>>>     net use G: \\data2.ea.linuxcs.com\share
>>>
>>> and it still failed, but with a different Windows error
>>> message.  When I
>>> tail -f /var/log/samba/smbd on the fileserver I see
>>>
>>>
>>> ---------------------------
>>> [2021/11/03 10:20:25.088689,  0]
>>> ../../source3/auth/token_util.c:565(add_local_groups)
>>>     add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>>> 1103
>>> -> getpwuid(11103) failed, is nsswitch configured?
>>> [2021/11/03 10:20:35.371582,  0]
>>> ../../source3/auth/token_util.c:565(add_local_groups)
>>>     add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>>> 1103
>>> -> getpwuid(11103) failed, is nsswitch configured?
>>> [2021/11/03 10:20:35.383936,  0]
>>> ../../source3/auth/token_util.c:565(add_local_groups)
>>>     add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>>> 1103
>>> -> getpwuid(11103) failed, is nsswitch configured?
>>> ---------------------------
>>>
>>>
>>> 11103 is the uid of the user I'm trying to connect this share
>>> for.  The
>>> suggestion is that nsswitch.conf isn't configured, but in fact it is:
>>>
>>> root at data2:/etc# cat nsswitch.conf
>>> # /etc/nsswitch.conf
>>> #
>>> # Example configuration of GNU Name Service Switch functionality.
>>> # If you have the `glibc-doc-reference' and `info' packages
>>> installed, try:
>>> # `info libc "Name Service Switch"' for information about this file.
>>>
>>> passwd:         files systemd winbind
>>> group:          files systemd winbind
>>> ...
>>>
>>>
>>>
>>> I know I'm using the correct password, because I used it to log in
>>> on
>>> the W10 client as this user.  Any thoughts on what I should look at
>>> next?
>>>
>>>
>>> Other AD stuff works properly:
>>> root at data2:/etc# getent passwd patrickgoetz
>>> patrickgoetz:*:11104:10513::/home/EA/patrickgoetz:/bin/false
>>> root at data2:/etc# wbinfo -i mduffy
>>> mduffy:*:11103:10513::/home/EA/mduffy:/bin/false
>>>
>>>
>>>
>>> The share has appropriate ACLs set:
>>>
>>> root at data2:/data# ls -ld share
>>> drwxrwx--- 2 root staff 4096 Nov  2 19:15 share
>>
>> The only people that can connect to that share are, the Unix user
>> 'root' and members of the Unix group 'staff'
>> Remember what I said about 'setfacl'
>>
> 
> 
> Maybe this is the problem?  I set up staff as an AD security group, not 
> realizing it's a built in group in /etc/group. But this is likely 
> confusing the system.  The group does ID correctly.  You can tell from 
> the group UID that it's an AD group:
> 
> root at data2:/data# id staff
> uid=11110(staff) gid=11110(staff) groups=11110(staff)
> 
> root at data2:/data# grep staff /etc/group
> staff:x:50:
> 
> OK, let me change the name of the Security Group to see if this resolves 
> the issue.
> 
> 
> 
>>>
>>>
>>> The user is a member of the staff group.
>>
>> Where did you make the user a member of 'staff' and how ?
>>
>>>    I can't get `get-adgroup` or
>>> `get-adgroupmember` to work in PowerShell to demonstrate this;
>>> presumably this has to do with the Windows web interface thing.
>>
>> More likely Windows not having a clue what the Unix group 'staff' is.
>>
>>>
>>>
>>> And here is the resource section from smb.conf:
>>>
>>> [share]
>>>      comment = Share Directory
>>>      path = /data/share
>>>      guest ok = no
>>>      browseable = yes
>>>      writeable = yes
>>>      create mask = 0770
>>>      directory mask = 0770
>>>      follow symlinks = yes
>>
>> Please do not post parts of a smb.conf, without the 'global' part, it
>> hasn't any context (I know you may have posted it previously, but this
>> would mean searching for it and you may have changed it anyway) :-)
>>
>> Rowland
>>
>>
>>
>

More information about the samba mailing list