[Samba] Domain users are loosing there groups after some time.

Mayamurugan M mmuruganngt at gmail.com
Mon Mar 5 05:55:41 MST 2012 

Dear all,

I want to install solaris 8 samba server
kindly guide basic download version and
installation basic setup
Example : pkg add and patchad and download samba server.
















On 3/2/12, Benedikt Schindler <BeniSchindler at gmx.de> wrote:
> Samba version : 3.6.3
> Filesystem :    BTRFS
> Clients :       XP, Win7
> Log Level :     5
>
>
> When we start our samba server everything works fine.
> After a few days, some of our users are not allowed to connect to shares
> anymore. When we restart the clients they can connect for a short time
> and then say have the same problem again.
>
> When we restart the server everything works fine for a few days again.
> We set the "winbind offline logon = yes" and it slowed down the process,
> but didn't stop it.
>
> After a long search i think i found the problem.
>
> The user has "401217" as mapped ID,
> and should be in the groups
>   400513
>   401612
>   401609
>   401611
>
> But samba just put him into
>   400513
>   401612
>   401611
>
> So samba lost one group. And thats the reason the user is not allowed to
> connect to the share, because only the group 401609 has a read permisson.
>
> Any ideas how that could happen?
>
>
> Here is a log of a "failed" login:
>
>
> [2012/03/02 11:37:52.842978,  5]
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (15):
>     SID[  0]: S-1-5-21-1004336348-920026266-682003330-1217
>     SID[  1]: S-1-5-21-1004336348-920026266-682003330-513
>     SID[  2]: S-1-5-21-1004336348-920026266-682003330-1612
>     SID[  3]: S-1-5-21-1004336348-920026266-682003330-1609
>     SID[  4]: S-1-5-21-1004336348-920026266-682003330-1611
>     SID[  5]: S-1-1-0
>     SID[  6]: S-1-5-2
>     SID[  7]: S-1-5-11
>     SID[  8]: S-1-22-1-401217
>     SID[  9]: S-1-22-2-400513
>     SID[ 10]: S-1-22-2-401612
>     SID[ 11]: S-1-22-2-401611
>     SID[ 12]: S-1-22-2-70000
>     SID[ 13]: S-1-22-2-70002
>     SID[ 14]: S-1-22-2-70011
>    Privileges (0x               0):
>    Rights (0x               0):
> [2012/03/02 11:37:52.843247,  5]
> auth/token_util.c:527(debug_unix_user_token)
>   UNIX token of user 401217
>   Primary group is 400513 and contains 6 supplementary groups
>   Group[  0]: 400513
>   Group[  1]: 401612
>   Group[  2]: 401611
>   Group[  3]: 70000
>   Group[  4]: 70002
>   Group[  5]: 70011
> [2012/03/02 11:37:52.843372,  5] smbd/uid.c:317(change_to_user_internal)
>   Impersonated user: uid=(0,401217), gid=(0,400513)
> [2012/03/02 11:37:52.843408,  4] smbd/vfs.c:780(vfs_ChDir)
>   vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843443,  4] smbd/vfs.c:780(vfs_ChDir)
>   vfs_ChDir to /home/data
> [2012/03/02 11:37:52.843476,  3] smbd/service.c:190(set_current_service)
>   chdir (/home/data) failed, reason: Keine Berechtigung
> [2012/03/02 11:37:52.843509,  3] smbd/error.c:81(error_packet_set)
>   error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
> NT_STATUS_ACCESS_DENIED
>
>
>
>
> Configuration parts that are maybe interresting:
> smb.conf:
>
>
> security = ADS
>
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> nt acl support = yes
> vfs objects = acl_xattr
>
> winbind enum users = yes
>         winbind enum groups = yes
>         winbind offline logon = yes
>         allow trusted domains = yes
>
>         idmap config * : backend     = rid
>         idmap config * : range       = 70000-99999
>         idmap config * : base_rid    = 0
>
>         idmap config A : backend     = rid
>         idmap config A : range       = 400000-499999
>         idmap config A : base_rid    = 0
>
>         idmap config B : backend  = rid
>         idmap config B : range    = 300000-399999
>         idmap config B : base_rid = 0
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list