[Samba] Users loose supplementary groups after a time

Orion Poplawski orion at nwra.com
Thu May 14 18:24:23 UTC 2020 

On 5/14/20 11:46 AM, Orion Poplawski wrote:
> All -
> 
>   I seem to be suffering from the common complaint that users loose
> supplementary group access after a while - in our case it seems to be
> connections left overnight.  Restarting smb fixes it.  I haven't been able to
> determine the cause.
> 
>   From the logs I've been able to determine a bad access looks something like
> this:
> 
> AuthZ reports a S-1-5-21- SID:
> 
> [2020/05/14 09:49:40.474490,  4]
> ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
>   Successful AuthZ: [lsarpc,ncacn_np] user [DOMAIN]\[user]
> [S-1-5-21-DOMAIN_SID] at [Thu, 14 May 2020 09:49:40.474481 PDT] Remote host
> [ipv4:Y.Y.Y.Y:54184] local host [ipv4:X.X.X.X:445]
>   {"timestamp": "2020-05-14T09:49:40.474546-0700", "type": "Authorization",
> "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress":
> "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:54184",
> "serviceDescription": "lsarpc", "authType": "ncacn_np", "domain": "DOMAIN",
> "account": "user", "sid": "S-1-5-21-DOMAIN_SID", "sessionId":
> "50d682c6-196e-44fa-9999-abe8e33bfd1c", "logonServer": "ADSERVER",
> "transportProtection": "SMB", "accountFlags": "0x00000214"}}
> 
> then:
> 
> [2020/05/14 09:46:37.381633,  5]
> ../../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (39):
> 
> and the SIDs listed will be domain SIDs prefixed by S1-5-21-.  And we will get
> 0 supplementary groups:
> 
> 
> [2020/05/14 09:46:37.381898,  5]
> ../../source3/auth/token_util.c:866(debug_unix_user_token)
>   UNIX token of user 21678
>   Primary group is 21678 and contains 0 supplementary groups
> 
> 
> Also relevant errors seem to be:
> 
> [2020/05/12 13:13:29.395726,  5]
> ../../source3/lib/username.c:120(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is domain\user
> [2020/05/12 13:13:29.395740,  5]
> ../../source3/lib/username.c:159(Get_Pwnam_internals)
>   Get_Pwnam_internals did find user [DOMAIN\user]!
> [2020/05/12 13:13:29.399159,  5]
> ../../source3/passdb/lookup_sid.c:1400(sid_to_uid)
>   winbind failed to find a uid for sid S-1-5-21-DOMIAN_SID
> 
> though I think that is to be expected at this point as we are not using
> winbind idmapping to map AD users, but rather we have an IPA - AD trust and so
> have local unix users already.
> 
> 
> On a successful connection/session we will see:
> 
> [2020/05/14 10:08:29.078174,  5]
> ../../source3/auth/auth_generic.c:180(auth3_generate_session_info_pac)
>   ../../source3/auth/auth_generic.c:180OK: user: user domain: DOMAIN client:
> [2020/05/14 10:08:29.078463,  4]
> ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
>   Successful AuthZ: [SMB2,krb5] user [DOMAIN]\[user] [S-1-22-1-21678] at [Thu,
> 14 May 2020 10:08:29.078442 PDT] Remote host [ipv4:X.X.X.X:61595] local host
> [ipv4:X.X.X.X:445]
>   {"timestamp": "2020-05-14T10:08:29.078943-0700", "type": "Authorization",
> "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress":
> "ipv4:x.x.x.x:445", "remoteAddress": "ipv4:x.x.x.x:61595",
> "serviceDescription": "SMB2", "authType": "krb5", "domain": "DOMAIN",
> "account": "user", "sid": "S-1-22-1-21678", "sessionId":
> "7aaba59b-02c3-4c2f-b8c2-79f85a012d3c", "logonServer": "ADSERVER",
> "transportProtection": "SMB", "accountFlags": "0x00000214"}}
> 
> [2020/05/14 10:08:29.181352,  5]
> ../../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (37):
> 
> will list S-1-22- type SIDs
> 
> and we will get our supplementary groups:
> 
>   Primary group is 1001 and contains 33 supplementary groups
> 
> I have seen unsuccessful AuthZ messages with type [SMB2,krb5] as well.
> 
> 
> Server is Scientific Linux release 7.8
> samba-4.10.4-10.el7.x86_64
> 
>         workgroup = DOMAIN
>         security = ads
>         realm = AD.DOMAIN
> # Workaround unix group issue (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>         username map script = /bin/echo
> 
> Is the above now causing more issues?
> 
> 
> Recent changes that I can think of are then 7.8 update and configuring AD
> sites.  Though I think this problem has likely been occurring for a long time
> - but for some reason we are seeing more connections left overnight.

So, the transition between the successful AuthZ and the unsuccessful ones
appear to involve this (though I can find one example that doesn't):

[2020/05/14 01:22:03.321905,  3]
../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NETWORK_SESSION_EXPIRED] || at
../../source3/smbd/smb2_server.c:2513
[2020/05/14 01:22:03.337393,  4]
../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/05/14 01:22:03.337453,  5]
../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)


But perhaps that's just a side effect of long sessions as well.

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

More information about the samba mailing list