[Samba] Windind (Samba 4.2.*, 4.5.2, 4.5.4) recurring resolving failure for some specific users
Alain-Pierre Perrin
alain-pierre.perrin at efs.sante.fr
Tue Feb 21 19:09:58 UTC 2017
Hello Volker.
I come back after a long time. I captured today two Samba traces (log
level globally cranked to 10) comparing, with a problematic user,
a successful session and, later, a failed one. With one "net cache
flush", the session will succeed again and... later (can be 2 minutes,
can be 40), will fail again. This elusive bug is killing me.
For some really annoyed users I recreated their AD account from
scratch and the new user, with the same group memberships, works
perfectly... but I'd really like to understand what is the mysterious
AD property making Samba stutter.
Here is the pivotal point in the traces :
1: Successful session
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] Create local NT token for problemuser
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] Parsing value for key [IDMAP/SID2XID/S-1-5-21-4107461286-2373360197-1842339316-6863]: value=[36863:B]
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] Parsing value for key [IDMAP/SID2XID/S-1-5-21-4107461286-2373360197-1842339316-6863]: id=[36863], endptr=[:B]
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] sid S-1-5-21-4107461286-2373360197-1842339316-6863 -> uid 36863
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] sys_getgrouplist: user [problemuser]
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] gid 30513 -> sid S-1-5-21-4107461286-2373360197-1842339316-513
[xxxx-xx-xx xx:xx:xx, 4, pid=xxx, effective(0, 0), real(0, 0)] push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[xxxx-xx-xx xx:xx:xx, 4, pid=xxx, effective(0, 0), real(0, 0)] push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[xxxx-xx-xx xx:xx:xx, 4, pid=xxx, effective(0, 0), real(0, 0)] setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[xxxx-xx-xx xx:xx:xx, 5, pid=xxx, effective(0, 0), real(0, 0)] Security token: (NULL)
[xxxx-xx-xx xx:xx:xx, 5, pid=xxx, effective(0, 0), real(0, 0)] UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[xxxx-xx-xx xx:xx:xx, 4, pid=xxx, effective(0, 0), real(0, 0)] pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[xxxx-xx-xx xx:xx:xx, 4, pid=xxx, effective(0, 0), real(0, 0)] get_privileges: No privileges assigned to SID [S-1-5-21-4107461286-2373360197-1842339316-6863]
[xxxx-xx-xx xx:xx:xx, 4, pid=xxx, effective(0, 0), real(0, 0)] get_privileges: No privileges assigned to SID [S-1-5-21-4107461286-2373360197-1842339316-513]
[xxxx-xx-xx xx:xx:xx, 4, pid=xxx, effective(0, 0), real(0, 0)] get_privileges: No privileges assigned to SID [S-1-5-21-4107461286-2373360197-1842339316-8531]
(...long enumeration of groups...)
2: Failed session
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] Create local NT token for problemuser
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] Parsing value for key [IDMAP/SID2XID/S-1-5-21-4107461286-2373360197-1842339316-6863]: value=[36863:B]
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] Parsing value for key [IDMAP/SID2XID/S-1-5-21-4107461286-2373360197-1842339316-6863]: id=[36863], endptr=[:B]
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] sid S-1-5-21-4107461286-2373360197-1842339316-6863 -> uid 36863
[xxxx-xx-xx xx:xx:xx, 1, pid=xxx, effective(0, 0), real(0, 0)] SID S-1-5-21-4107461286-2373360197-1842339316-6863 -> getpwuid(36863) failed
[xxxx-xx-xx xx:xx:xx, 3, pid=xxx, effective(0, 0), real(0, 0)] Failed to finalize nt token
[xxxx-xx-xx xx:xx:xx, 10, pid=xxx, effective(0, 0), real(0, 0)] create_local_token failed: NT_STATUS_UNSUCCESSFUL
[xxxx-xx-xx xx:xx:xx, 1, pid=xxx, effective(0, 0), real(0, 0)] Failed to generate session_info (user and group token) for session setup: NT_STATUS_UNSUCCESSFUL
On a hunch, I tried to strip the account from its SIDhistory,
inherited from a recent AD to AD migration but the result remained the
same. I also migrated from Samba 4.5.2 to 4.5.4 (Debian testing).
Thanks in advance. I realize how hard it can be to harden Samba
because it's impossible to test it against all the Active directory
directories running in the world.
Alain-Pierre Perrin
More information about the samba
mailing list