[Samba] Shares stopped working for groups

Nick Howitt nick at howitts.co.uk
Fri Jul 17 18:57:25 UTC 2020

I have a ClearOS 7.8 system which is running 
samba-4.10.4-11.el7_8.x86_64, and it upgraded to this just over a week 
ago (probably not relevant). A couple of days ago all the group shares 
failed. I discovered that if I switched them to the built-in group 
"allusers" the share worked fine. It fails for any user-defined group 
but it used to work. Samba is running as a PDC and the configs, 
including one share are:

    [root at server ~]# testparm -s
    Load smb config files from /etc/samba/smb.conf
    NOTE: Service profiles is flagged unavailable.
    Loaded services file OK.
    'winbind separator = +' might cause problems with group membership.

    Server role: ROLE_DOMAIN_PDC

    # Global parameters
             add machine script = /usr/sbin/samba-add-machine "%u"
             domain logons = Yes
             domain master = Yes
             guest account = guest
             interfaces = lo enp8s0f0
             ldap admin dn = cn=manager,ou=Internal,dc=sha,dc=lan
             ldap connection timeout = 8
             ldap group suffix = ou=Groups,ou=Accounts
             ldap idmap suffix = ou=Idmap
             ldap machine suffix = ou=Computers,ou=Accounts
             ldap ssl = no
             ldap suffix = dc=sha,dc=lan
             ldap user suffix = ou=Users,ou=Accounts
             log file = /var/log/samba/%L-%m
             logon drive = H:
             logon home = \\%L\%U
             logon path =
             logon script = logon.cmd
             max log size = 0
             ntlm auth = ntlmv1-permitted
             passdb backend = ldapsam:ldap://
             passwd chat = *password:* %n\n *password:* %n\n *successfully.*
             passwd chat timeout = 10
             passwd program = /usr/sbin/userpasswd %u
             preferred master = Yes
             printcap name = /etc/printcap
             security = USER
             server string = ClearOS Server
             template homedir = /home/%U
             template shell = /sbin/nologin
             unix password sync = Yes
             username map = /etc/samba/smbusers
             utmp = Yes
             winbind enum groups = Yes
             winbind enum users = Yes
             winbind expand groups = 1
             winbind separator = +
             winbind use default domain = Yes
             wins support = Yes
             workgroup = SHA
             idmap config * : ldap_user_dn =
             idmap config * : ldap_base_dn = ou=Idmap,dc=sha,dc=lan
             idmap config * : ldap_url = ldap://
             idmap config * : range = 20000000-29999999
             idmap config * : backend = ldap
             include = /etc/samba/flexshare.conf

             comment = test
             create mask = 0664
             directory mask = 0775
             path = /var/flexshare/shares/test
             read only = No
             valid users = @%D\admin @admin
             veto files = /.flexshare*/

If I try using smbclient I get:

    [root at server shares]# smbclient //localhost/test -c 'ls' -U clearcenter
    Enter SHA\clearcenter's password:
    tree connect failed: NT_STATUS_ACCESS_DENIED

If I change the valid users to the "allusers" group and change the 
folder permissions, it works fine.

I get:

    [root at server ~]# wbinfo --group-info='staff'
    failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
    Could not get info for group staff

    [root at server ~]# wbinfo --group-info='allusers'

    [root at server shares]# net groupmap list
    allusers (S-1-5-21-1661951805-1908507638-2940817366-63000) -> allusers
    Guests (S-1-5-32-546) -> guests
    dropbox_plugin (S-1-5-21-1661951805-1908507638-2940817366-60000) ->
    imap_plugin (S-1-5-21-1661951805-1908507638-2940817366-60001) ->
    openvpn_plugin (S-1-5-21-1661951805-1908507638-2940817366-60002) ->
    (S-1-5-21-1661951805-1908507638-2940817366-60003) -> print_server_plugin
    smtp_plugin (S-1-5-21-1661951805-1908507638-2940817366-60004) ->
    (S-1-5-21-1661951805-1908507638-2940817366-60005) ->
    Domain Admins (S-1-5-21-1661951805-1908507638-2940817366-512) ->
    Domain Users (S-1-5-21-1661951805-1908507638-2940817366-513) ->
    Domain Guests (S-1-5-21-1661951805-1908507638-2940817366-514) ->
    Domain Computers (S-1-5-21-1661951805-1908507638-2940817366-515) ->
    Administrators (S-1-5-32-544) -> administrators
    Users (S-1-5-32-545) -> users
    Power Users (S-1-5-32-547) -> power_users
    Account Operators (S-1-5-32-548) -> account_operators
    Server Operators (S-1-5-32-549) -> server_operators
    Print Operators (S-1-5-32-550) -> print_operators
    Backup Operators (S-1-5-32-551) -> backup_operators
    executive (S-1-5-21-1661951805-1908507638-2940817366-60006) -> executive
    staff (S-1-5-21-1661951805-1908507638-2940817366-60007) -> staff
    visitors (S-1-5-21-1661951805-1908507638-2940817366-60008) -> visitors
    admin (S-1-5-21-1661951805-1908507638-2940817366-60009) -> admin

One of the Samba logs goes:

    [2020/07/16 05:29:48.583319,  1]
       create_connection_session_info: user 'clearcenter' (from session
    setup) not permitted to access this share (test)

I notice the messages log gives:

    Jul 16 04:34:28 server winbindd[21471]: [2020/07/16
    04:34:28.069299,  0]
    Jul 16 04:34:28 server winbindd[21471]:  get_credentials: Unable to
    fetch auth credentials for cn=manager,ou=Internal,dc=sha,dc=lan in *

I have tried clearing the winbindd_cache.tdb and gencache.tdb but am 
wary of clearing anything else without instruction.

Please can you help me?



More information about the samba mailing list