[Samba] Users loose supplementary groups after a time

Orion Poplawski orion at nwra.com
Thu May 14 17:46:03 UTC 2020

All -

  I seem to be suffering from the common complaint that users loose
supplementary group access after a while - in our case it seems to be
connections left overnight.  Restarting smb fixes it.  I haven't been able to
determine the cause.

  From the logs I've been able to determine a bad access looks something like

AuthZ reports a S-1-5-21- SID:

[2020/05/14 09:49:40.474490,  4]
  Successful AuthZ: [lsarpc,ncacn_np] user [DOMAIN]\[user]
[S-1-5-21-DOMAIN_SID] at [Thu, 14 May 2020 09:49:40.474481 PDT] Remote host
[ipv4:Y.Y.Y.Y:54184] local host [ipv4:X.X.X.X:445]
  {"timestamp": "2020-05-14T09:49:40.474546-0700", "type": "Authorization",
"Authorization": {"version": {"major": 1, "minor": 1}, "localAddress":
"ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:54184",
"serviceDescription": "lsarpc", "authType": "ncacn_np", "domain": "DOMAIN",
"account": "user", "sid": "S-1-5-21-DOMAIN_SID", "sessionId":
"50d682c6-196e-44fa-9999-abe8e33bfd1c", "logonServer": "ADSERVER",
"transportProtection": "SMB", "accountFlags": "0x00000214"}}


[2020/05/14 09:46:37.381633,  5]
  Security token SIDs (39):

and the SIDs listed will be domain SIDs prefixed by S1-5-21-.  And we will get
0 supplementary groups:

[2020/05/14 09:46:37.381898,  5]
  UNIX token of user 21678
  Primary group is 21678 and contains 0 supplementary groups

Also relevant errors seem to be:

[2020/05/12 13:13:29.395726,  5]
  Trying _Get_Pwnam(), username as lowercase is domain\user
[2020/05/12 13:13:29.395740,  5]
  Get_Pwnam_internals did find user [DOMAIN\user]!
[2020/05/12 13:13:29.399159,  5]
  winbind failed to find a uid for sid S-1-5-21-DOMIAN_SID

though I think that is to be expected at this point as we are not using
winbind idmapping to map AD users, but rather we have an IPA - AD trust and so
have local unix users already.

On a successful connection/session we will see:

[2020/05/14 10:08:29.078174,  5]
  ../../source3/auth/auth_generic.c:180OK: user: user domain: DOMAIN client:
[2020/05/14 10:08:29.078463,  4]
  Successful AuthZ: [SMB2,krb5] user [DOMAIN]\[user] [S-1-22-1-21678] at [Thu,
14 May 2020 10:08:29.078442 PDT] Remote host [ipv4:X.X.X.X:61595] local host
  {"timestamp": "2020-05-14T10:08:29.078943-0700", "type": "Authorization",
"Authorization": {"version": {"major": 1, "minor": 1}, "localAddress":
"ipv4:x.x.x.x:445", "remoteAddress": "ipv4:x.x.x.x:61595",
"serviceDescription": "SMB2", "authType": "krb5", "domain": "DOMAIN",
"account": "user", "sid": "S-1-22-1-21678", "sessionId":
"7aaba59b-02c3-4c2f-b8c2-79f85a012d3c", "logonServer": "ADSERVER",
"transportProtection": "SMB", "accountFlags": "0x00000214"}}

[2020/05/14 10:08:29.181352,  5]
  Security token SIDs (37):

will list S-1-22- type SIDs

and we will get our supplementary groups:

  Primary group is 1001 and contains 33 supplementary groups

I have seen unsuccessful AuthZ messages with type [SMB2,krb5] as well.

Server is Scientific Linux release 7.8

        workgroup = DOMAIN
        security = ads
        realm = AD.DOMAIN
# Workaround unix group issue (https://bugzilla.samba.org/show_bug.cgi?id=10618)
        username map script = /bin/echo

Is the above now causing more issues?

Recent changes that I can think of are then 7.8 update and configuring AD
sites.  Though I think this problem has likely been occurring for a long time
- but for some reason we are seeing more connections left overnight.

Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

More information about the samba mailing list