[Samba] Is Samba unable to resolve secodary group membership?

Rowland penny rpenny at samba.org
Fri Oct 9 10:29:17 UTC 2020


On 09/10/2020 11:00, Michael Schwarz via samba wrote:
> Hi all,
>
> i read the logfiles again and again and stumbled over some lines:
>
> [2020/10/07 11:25:45.191784,  5] 
> ../../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (38):
>     SID[  0]: S-1-5-21-3542048200-3079820972-537594794-55128
>     SID[  1]: S-1-5-21-3542048200-3079820972-537594794-513
>     SID[  2]: S-1-5-21-3542048200-3079820972-537594794-211797
>     SID[  3]: S-1-5-21-3542048200-3079820972-537594794-92780
>     SID[  4]: S-1-5-21-3542048200-3079820972-537594794-214631
>     SID[  5]: S-1-5-21-3542048200-3079820972-537594794-5516
>     SID[  6]: S-1-5-21-3542048200-3079820972-537594794-123946
>     SID[  7]: S-1-5-21-3542048200-3079820972-537594794-73686
>     SID[  8]: S-1-5-21-3542048200-3079820972-537594794-101266
>     SID[  9]: S-1-5-21-3542048200-3079820972-537594794-84994
>     SID[ 10]: S-1-5-21-3542048200-3079820972-537594794-58615
>     SID[ 11]: S-1-5-21-3542048200-3079820972-537594794-62264
>     SID[ 12]: S-1-5-21-3542048200-3079820972-537594794-73690
>     SID[ 13]: S-1-5-21-3542048200-3079820972-537594794-211816
>     SID[ 14]: S-1-5-21-3542048200-3079820972-537594794-63615
>     SID[ 15]: S-1-5-21-3542048200-3079820972-537594794-75305
>     SID[ 16]: S-1-5-21-3542048200-3079820972-537594794-211815
>     SID[ 17]: S-1-5-21-3542048200-3079820972-537594794-211804
>     SID[ 18]: S-1-5-21-3542048200-3079820972-537594794-211820
>     SID[ 19]: S-1-5-21-3542048200-3079820972-537594794-211818
>     SID[ 20]: S-1-5-21-3542048200-3079820972-537594794-22920
>     SID[ 21]: S-1-5-21-3542048200-3079820972-537594794-92746
>     SID[ 22]: S-1-5-21-3542048200-3079820972-537594794-211805
>     SID[ 23]: S-1-5-21-3542048200-3079820972-537594794-92828
>     SID[ 24]: S-1-5-21-3542048200-3079820972-537594794-73088
>     SID[ 25]: S-1-5-21-3542048200-3079820972-537594794-211799
>     SID[ 26]: S-1-5-21-3542048200-3079820972-537594794-169945
>     SID[ 27]: S-1-5-21-3542048200-3079820972-537594794-211819
>     SID[ 28]: S-1-5-21-3542048200-3079820972-537594794-128864
>     SID[ 29]: S-1-5-21-3542048200-3079820972-537594794-101268
>     SID[ 30]: S-1-5-21-3542048200-3079820972-537594794-128934
>     SID[ 31]: S-1-1-0
>     SID[ 32]: S-1-5-2
>     SID[ 33]: S-1-5-11
>     SID[ 34]: S-1-5-32-545
>     SID[ 35]: S-1-22-1-20597
>     SID[ 36]: S-1-22-2-10000
>     SID[ 37]: S-1-22-2-10000001
>    Privileges (0x               0):
>    Rights (0x               0):
> [2020/10/07 11:25:45.191945,  5] 
> ../../source3/auth/token_util.c:866(debug_unix_user_token)
>   UNIX token of user 20597
>   Primary group is 10000 and contains 1 supplementary groups
>   Group[  0]: 10000001
>
> If i read the lines correct, the S-1-5-21 sids are the ones which come 
> from the ads.
Yes, that is correct, they are the AD domain users and groups.
> The SIDs starting with S-1-22 are the ones which are build by the unix 
> user and unix groups the user is in. So it seems to me, that samba 
> doesn't read the unix group memberships while building this security 
> context. Is this behavior correct?
Yes, that is correct. You are using the winbind 'ad' backend, so 
anything that doesn't come from AD is ignored because they are local 
Unix users or groups. The OS will use them, but Samba will not, if you 
want Samba to use them, remove them from /etc/passwd or /etc/group and 
put them in AD.
>
> Unix user 20597 has a primary group id 10000 and 27 supplementary 
> groups. None of these groups has an id of 10000001. Beside of this, 
> shouldn't these groups also appear in the security token / unix user 
> token?

This is the problem, the ID's '20597' and '10000' are inside the domain 
range you have set in smb.conf, yet they are undoubtedly local Unix ID's.

Rowland






More information about the samba mailing list