[Samba] Domain users are loosing there groups after some time.

Benedikt Schindler BeniSchindler at gmx.de
Fri Mar 2 04:39:23 MST 2012 

Samba version : 3.6.3
Filesystem :    BTRFS
Clients :       XP, Win7
Log Level :     5


When we start our samba server everything works fine.
After a few days, some of our users are not allowed to connect to shares
anymore. When we restart the clients they can connect for a short time
and then say have the same problem again.

When we restart the server everything works fine for a few days again.
We set the "winbind offline logon = yes" and it slowed down the process,
but didn't stop it.

After a long search i think i found the problem.

The user has "401217" as mapped ID,
and should be in the groups
  400513
  401612
  401609
  401611

But samba just put him into
  400513
  401612
  401611

So samba lost one group. And thats the reason the user is not allowed to
connect to the share, because only the group 401609 has a read permisson.

Any ideas how that could happen?


Here is a log of a "failed" login:


[2012/03/02 11:37:52.842978,  5]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (15):
    SID[  0]: S-1-5-21-1004336348-920026266-682003330-1217
    SID[  1]: S-1-5-21-1004336348-920026266-682003330-513
    SID[  2]: S-1-5-21-1004336348-920026266-682003330-1612
    SID[  3]: S-1-5-21-1004336348-920026266-682003330-1609
    SID[  4]: S-1-5-21-1004336348-920026266-682003330-1611
    SID[  5]: S-1-1-0
    SID[  6]: S-1-5-2
    SID[  7]: S-1-5-11
    SID[  8]: S-1-22-1-401217
    SID[  9]: S-1-22-2-400513
    SID[ 10]: S-1-22-2-401612
    SID[ 11]: S-1-22-2-401611
    SID[ 12]: S-1-22-2-70000
    SID[ 13]: S-1-22-2-70002
    SID[ 14]: S-1-22-2-70011
   Privileges (0x               0):
   Rights (0x               0):
[2012/03/02 11:37:52.843247,  5]
auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 401217
  Primary group is 400513 and contains 6 supplementary groups
  Group[  0]: 400513
  Group[  1]: 401612
  Group[  2]: 401611
  Group[  3]: 70000
  Group[  4]: 70002
  Group[  5]: 70011
[2012/03/02 11:37:52.843372,  5] smbd/uid.c:317(change_to_user_internal)
  Impersonated user: uid=(0,401217), gid=(0,400513)
[2012/03/02 11:37:52.843408,  4] smbd/vfs.c:780(vfs_ChDir)
  vfs_ChDir to /home/data
[2012/03/02 11:37:52.843443,  4] smbd/vfs.c:780(vfs_ChDir)
  vfs_ChDir to /home/data
[2012/03/02 11:37:52.843476,  3] smbd/service.c:190(set_current_service)
  chdir (/home/data) failed, reason: Keine Berechtigung
[2012/03/02 11:37:52.843509,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
NT_STATUS_ACCESS_DENIED




Configuration parts that are maybe interresting:
smb.conf:


security = ADS

socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
nt acl support = yes
vfs objects = acl_xattr

winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        allow trusted domains = yes

        idmap config * : backend     = rid
        idmap config * : range       = 70000-99999
        idmap config * : base_rid    = 0

        idmap config A : backend     = rid
        idmap config A : range       = 400000-499999
        idmap config A : base_rid    = 0

        idmap config B : backend  = rid
        idmap config B : range    = 300000-399999
        idmap config B : base_rid = 0

More information about the samba mailing list