[Samba] Domain users are loosing there groups after some time.
Dale Schroeder
dale at BriannasSaladDressing.com
Fri Mar 2 11:59:32 MST 2012
On 03/02/2012 5:39 AM, Benedikt Schindler wrote:
> Samba version : 3.6.3
> Filesystem : BTRFS
> Clients : XP, Win7
> Log Level : 5
>
>
> When we start our samba server everything works fine.
> After a few days, some of our users are not allowed to connect to shares
> anymore. When we restart the clients they can connect for a short time
> and then say have the same problem again.
>
> When we restart the server everything works fine for a few days again.
> We set the "winbind offline logon = yes" and it slowed down the process,
> but didn't stop it.
>
> After a long search i think i found the problem.
>
> The user has "401217" as mapped ID,
> and should be in the groups
> 400513
> 401612
> 401609
> 401611
>
> But samba just put him into
> 400513
> 401612
> 401611
>
> So samba lost one group. And thats the reason the user is not allowed to
> connect to the share, because only the group 401609 has a read permisson.
>
> Any ideas how that could happen?
>
>
> Here is a log of a "failed" login:
>
>
> [2012/03/02 11:37:52.842978, 5]
> ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (15):
> SID[ 0]: S-1-5-21-1004336348-920026266-682003330-1217
> SID[ 1]: S-1-5-21-1004336348-920026266-682003330-513
> SID[ 2]: S-1-5-21-1004336348-920026266-682003330-1612
> SID[ 3]: S-1-5-21-1004336348-920026266-682003330-1609
> SID[ 4]: S-1-5-21-1004336348-920026266-682003330-1611
> SID[ 5]: S-1-1-0
> SID[ 6]: S-1-5-2
> SID[ 7]: S-1-5-11
> SID[ 8]: S-1-22-1-401217
> SID[ 9]: S-1-22-2-400513
> SID[ 10]: S-1-22-2-401612
> SID[ 11]: S-1-22-2-401611
> SID[ 12]: S-1-22-2-70000
> SID[ 13]: S-1-22-2-70002
> SID[ 14]: S-1-22-2-70011
> Privileges (0x 0):
> Rights (0x 0):
> [2012/03/02 11:37:52.843247, 5]
> auth/token_util.c:527(debug_unix_user_token)
> UNIX token of user 401217
> Primary group is 400513 and contains 6 supplementary groups
> Group[ 0]: 400513
> Group[ 1]: 401612
> Group[ 2]: 401611
> Group[ 3]: 70000
> Group[ 4]: 70002
> Group[ 5]: 70011
> [2012/03/02 11:37:52.843372, 5] smbd/uid.c:317(change_to_user_internal)
> Impersonated user: uid=(0,401217), gid=(0,400513)
> [2012/03/02 11:37:52.843408, 4] smbd/vfs.c:780(vfs_ChDir)
> vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843443, 4] smbd/vfs.c:780(vfs_ChDir)
> vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843476, 3] smbd/service.c:190(set_current_service)
> chdir (/home/data) failed, reason: Keine Berechtigung
> [2012/03/02 11:37:52.843509, 3] smbd/error.c:81(error_packet_set)
> error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
> NT_STATUS_ACCESS_DENIED
>
>
>
>
> Configuration parts that are maybe interresting:
> smb.conf:
>
>
> security = ADS
>
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> nt acl support = yes
> vfs objects = acl_xattr
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind offline logon = yes
> allow trusted domains = yes
>
> idmap config * : backend = rid
> idmap config * : range = 70000-99999
> idmap config * : base_rid = 0
>
> idmap config A : backend = rid
> idmap config A : range = 400000-499999
> idmap config A : base_rid = 0
>
> idmap config B : backend = rid
> idmap config B : range = 300000-399999
> idmap config B : base_rid = 0
Benedikt,
Check this bug - https://bugzilla.samba.org/show_bug.cgi?id=8676 - to
see if any of these symptoms match those of your systems when the group
loss happens.
Dale
More information about the samba
mailing list