[Samba] Samba 4.4.16 %g translation fails for some users

Daulton Theodore DaultonTheodore at Cunet.Carleton.Ca
Thu Jan 4 19:03:24 UTC 2018 

Hi all,

Just migrated users to a samba 4 server on built on Solaris 11 samba pkg. Some users are mapping all required drives (G:, H:, and I:) but some are not able to map them. The affected users user log files indicate that the %g variable is being translated to '-1' instead of the users Unix group.

I would welcome any feedback or suggestions on how to resolve this issue.

>From my log file (successful map):
<snip>
[2018/01/04 11:42:32.080787,  2] ../source3/smbd/service.c:787(make_connection_snum)
  134.117.97.141 (ipv4:134.117.97.141:58747) connect to service homedir initially as user dtheodor (uid=2223, gid=1021) (pid 26156)
[2018/01/04 11:42:32.080845,  5] ../lib/dbwrap/dbwrap.c:177(dbwrap_check_lock_order)
  check lock order 1 for /var/samba/lock/smbXsrv_tcon_global.tdb
[2018/01/04 11:42:32.080907,  5] ../lib/dbwrap/dbwrap.c:145(dbwrap_lock_order_state_destructor)
  release lock order 1 for /var/samba/lock/smbXsrv_tcon_global.tdb
[2018/01/04 11:42:32.080960,  5] ../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu)
  signed SMB2 message
[2018/01/04 11:42:39.182065,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
<snip>

>From log file for unsuccessful user:
<snip>
[2018/01/02 07:59:32.253188,  3] ../source3/smbd/service.c:536(make_connection_snum)
  Connect path is '/departments/-1/ablake' for service [homedir]
[2018/01/02 07:59:32.253286,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID root is not in a valid format
[2018/01/02 07:59:32.253627,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/01/02 07:59:32.253676,  4] ../source3/smbd/uid.c:490(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/01/02 07:59:32.253710,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
<snip>

/departments/-1/homedir should have been /departments/librss/homedir. The unix group 'librss'. Others in that group are able to login successfully with %g being translated as expected.

Here is a snip from smb.conf:
# Global parameters
[globals]
   netbios name  = willow
   server string = %L
   workgroup     = WORKGROUP NAME
   browsable     = no
   local master  = no

   allow hosts   = list of hosts allowed in

   hosts deny = 0.0.0.0/0

   security      = ADS
   realm         = <realm deleted>


   machine password timeout = 314496000
   name resolve order = wins lmhosts host bcast

   remote announce = x.x.x.x

#   wins support = yes
   wins server = v.v.v.v w.w.w.w
   winbind use default domain = true

#  force Samba to bind only to public network
   interfaces    = a.b.c.d/255.255.255.0
   bind interfaces only = yes
   socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
   deadtime     = 0

#  added 20150422
   server signing = auto
   client signing = auto

   client lanman auth = no
   client ntlmv2 auth = yes
   client plaintext auth = no
   client use spnego = yes
   client schannel = yes
   lanman auth = no
   ntlm auth = no

   server min protocol = SMB2_10
   client min protocol = SMB2
   client max protocol = SMB3

#  Encrypt all passwords stored in /etc/sfw/samba/private/smbpasswd
   encrypt passwords = yes
   username map = /etc/samba/lib/nt-names


#  not allowed to log in
   invalid users = root daemon bin sys adm lp listen sshd\
                   erl webspirs samba rob jan daulton

   writeable     = yes

#  Debug Logging information
   log level = 5
   log file = /etc/samba/var/log.%m:%U:%I
   max log size = 2000
   debug timestamp = yes

# ---------------------------------------
# Home Directory - G drive
# ---------------------------------------
[homedir]
   comment = %u
   path = /departments/%g/%u
   browseable = no
   writeable = yes
   create mode = 0700

# ------------------------------------
# Shared directory for each department - H drive
# ------------------------------------
[deptshr]
   comment = %g Shared Directory
   path = /departments/%g/common
   read only    = no
   create mask = 0770
   force create mode = 0770
   directory mask = 0770
   writable     = yes
   browseable   = yes
   invalid users = +circdesk

# --------------------------------------
# shared directory for ALL staff - I drive
# --------------------------------------
[libshare]
   comment     = Library staff shared directory
   path        = /departments/common
   browseable  = yes
   writeable   = yes
   create mask = 0777
   force create mode = 0777
   directory mask = 0777
   valid users = +libsys +libmgmt +libacq +libtech +libarc +libcat +libcirc +librs +librss +libmdgc +libgift +libcoll +libtrain +libill +libgis +libarch +libstack +libaxs +libssc +studemp +studempl +eserials +pserials +syshead +ebooks mmcclint refstud catstud

   invalid users = +circdesk train1 train2 train3 train4 train5 train6 train7 train8 train9 train10 train11 train12 train13 train14 train15 train16 train17 train18 circstud madstud ssdata1 edox1 circdesk mlspine +librsch


~~~~~~~~~~~~~~~~~~~~~~~~
Daulton Theodore
Carleton University
Library, Systems Department
Vmail: (613) 520-2600, ext. 8352

More information about the samba mailing list