[Samba] Domain users are loosing there groups after some time.

Dale Schroeder dale at BriannasSaladDressing.com
Fri Mar 2 11:59:32 MST 2012


On 03/02/2012 5:39 AM, Benedikt Schindler wrote:
> Samba version : 3.6.3
> Filesystem :    BTRFS
> Clients :       XP, Win7
> Log Level :     5
>
>
> When we start our samba server everything works fine.
> After a few days, some of our users are not allowed to connect to shares
> anymore. When we restart the clients they can connect for a short time
> and then say have the same problem again.
>
> When we restart the server everything works fine for a few days again.
> We set the "winbind offline logon = yes" and it slowed down the process,
> but didn't stop it.
>
> After a long search i think i found the problem.
>
> The user has "401217" as mapped ID,
> and should be in the groups
>    400513
>    401612
>    401609
>    401611
>
> But samba just put him into
>    400513
>    401612
>    401611
>
> So samba lost one group. And thats the reason the user is not allowed to
> connect to the share, because only the group 401609 has a read permisson.
>
> Any ideas how that could happen?
>
>
> Here is a log of a "failed" login:
>
>
> [2012/03/02 11:37:52.842978,  5]
> ../libcli/security/security_token.c:63(security_token_debug)
>    Security token SIDs (15):
>      SID[  0]: S-1-5-21-1004336348-920026266-682003330-1217
>      SID[  1]: S-1-5-21-1004336348-920026266-682003330-513
>      SID[  2]: S-1-5-21-1004336348-920026266-682003330-1612
>      SID[  3]: S-1-5-21-1004336348-920026266-682003330-1609
>      SID[  4]: S-1-5-21-1004336348-920026266-682003330-1611
>      SID[  5]: S-1-1-0
>      SID[  6]: S-1-5-2
>      SID[  7]: S-1-5-11
>      SID[  8]: S-1-22-1-401217
>      SID[  9]: S-1-22-2-400513
>      SID[ 10]: S-1-22-2-401612
>      SID[ 11]: S-1-22-2-401611
>      SID[ 12]: S-1-22-2-70000
>      SID[ 13]: S-1-22-2-70002
>      SID[ 14]: S-1-22-2-70011
>     Privileges (0x               0):
>     Rights (0x               0):
> [2012/03/02 11:37:52.843247,  5]
> auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 401217
>    Primary group is 400513 and contains 6 supplementary groups
>    Group[  0]: 400513
>    Group[  1]: 401612
>    Group[  2]: 401611
>    Group[  3]: 70000
>    Group[  4]: 70002
>    Group[  5]: 70011
> [2012/03/02 11:37:52.843372,  5] smbd/uid.c:317(change_to_user_internal)
>    Impersonated user: uid=(0,401217), gid=(0,400513)
> [2012/03/02 11:37:52.843408,  4] smbd/vfs.c:780(vfs_ChDir)
>    vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843443,  4] smbd/vfs.c:780(vfs_ChDir)
>    vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843476,  3] smbd/service.c:190(set_current_service)
>    chdir (/home/data) failed, reason: Keine Berechtigung
> [2012/03/02 11:37:52.843509,  3] smbd/error.c:81(error_packet_set)
>    error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
> NT_STATUS_ACCESS_DENIED
>
>
>
>
> Configuration parts that are maybe interresting:
> smb.conf:
>
>
> security = ADS
>
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> nt acl support = yes
> vfs objects = acl_xattr
>
> winbind enum users = yes
>          winbind enum groups = yes
>          winbind offline logon = yes
>          allow trusted domains = yes
>
>          idmap config * : backend     = rid
>          idmap config * : range       = 70000-99999
>          idmap config * : base_rid    = 0
>
>          idmap config A : backend     = rid
>          idmap config A : range       = 400000-499999
>          idmap config A : base_rid    = 0
>
>          idmap config B : backend  = rid
>          idmap config B : range    = 300000-399999
>          idmap config B : base_rid = 0

Benedikt,

Check this bug - https://bugzilla.samba.org/show_bug.cgi?id=8676 - to 
see if any of these symptoms match those of your systems when the group 
loss happens.

Dale



More information about the samba mailing list